Forget about Security - We have a tool...

HI...

 

ok this is actually misleading: We (e.g. Microsoft or any other group I belong to) do not have a tool. But there are some people out there who claim to have one...

I found this blog article by Michael Howard (see https://blogs.msdn.com/michael_howard/archive/2008/01/10/open-source-projects-certified-as-secure-huh.aspx) talking about this. While I don't know Michael that personally (I would not dare calling him a friend) I saw him quite often and I think I have a good impression on how his face looked when he wrote this posting... ;-) )

Michael (as lots of others in the security arena) always warn for making it to simple. There are lots of industries working on - say - similar security issues like the IT industry today. Take for example the aerospace. They all learned how to tackle the problem and how to cope with this tiny little rest of uncertainty. THEY ALL LEARNED THAT THE IDEA OF HAVING THE FINAL TOOL IS THE STARTING POINT OF A DISASTER!!!

While I certainly respect the efforts of the tool vendor to position their tool as top of pops do not fall into this gap. People might take it just like you said it!!

Here Donald E. Knuth comes to my mind. He stated once:

"Beware of bugs in the above code; I have only proved it correct, not tried it."

(See https://en.wikipedia.org/wiki/Donald_Knuth)

Apropos Knuth: I am just thinking about one thing we really should try... Remember TeX?? Donald E. Knuth did a bet on the quality of the software he wrote. He offered a cheque for every bug that is found. And he was even willing to pay ever increasing sums (well, he then stopped at around 300 $ as far as I remember). Taking this long time proven code how would it cope with today's security issues?? 

Oh, dear. We still have to go such a long way...

CU

0xff