Unfortunately, the failure to test is not limited to firewall
software. This is NOT a subject that gets any support from upper
management. This holds true for software vendors, VARs, integrators, end
user companies, etc. ad nauseum. Why should you be surprised by this for
one particular product?
Note that I don't agree with this, just suffered with it for far
longer than I care to think about. Bugs will be found in firewalls the
same way that they are found in all products; by the customer. This will
continue until someone figures out a way to successfully sue a software
company for lost data, lost productivity, and lost revenue and market
share.
From what I've seen out of Lotus, Microsoft, Novell, Borland, I
don't think they are too worried about that particular threat. Should
the firewall vendors? I sure hope they are, because if a bug opens a
hole that causes my company lost revenue or embarrasses us, I will go after
the vendor.
Jim Smilanich | "A man should be able to pilot a starship, plan an
jsmilan @
winternet .
com | invasion, diaper a baby..... specialization is for
Winternet is my access | insects!" -- Lazarus Long
provider, so don't blame|
them for my opinions! |
On Tue, 25 Apr 1995 firewalls-digest-owner @
GreatCircle .
COM wrote:
>
> From: fc @
all .
net (Dr. Frederick B. Cohen)
> Date: Tue, 25 Apr 1995 08:00:17 -0400 (EDT)
> Subject: Firewall Failure Modes
>
> I am getting really confused. A lot of people on this list seem to
> think that testing is a theoretical thing that you do to stop
> theoretical threats, and that practical programers don't need to do
> testing because they can look at their code and know it's right.
>
> Unless there has been a revolution in information technology that I
> am not aware of, this is completely backward and counter to all of
> the real-world history of information-technology. Nevertheless, I
> have attempted to capture this in the following paragraph, and ask
> for comments from the list readers:
>
> Most of the firewall vendors and other people on this list write
> programs, never test them at the boundary conditions, and assume that
> they works properly because the code looks right to them and seems to
> work when they try it on their application. When someone asks about
> boundary conditions, they say they have never tested it, but that they
> looked at the source code and figure it will work the same way under
> high stress conditions as under normal load conditions. The lack of
> experimental confirmation presents no problem for the producers or
> consumers and presents no impediment to the purchase of a firewall from
> such a vendor.
>
> - --
> - -----------------
> \Management /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
> \ /\/ | Check out info-security heaven and test your system
> \/\ /\/ | for known vulnerabilities (1st time for free) at URL:
> \/Analytics| (scans deeper than SATAN or ISS) http://all.net:8080
> - -----------------
> Read "Protection and Security on the Information Superhighway"
> -just released by Wiley and Sons-
>
>
|
|
