I disagree. If that really is the choice, they should drop the secure moniker without further debate.
--
If you produce a product that claims to be secure, the onus is on you to back up those claims.
Off the top my my head there are many ways to implement measures that can help to encourage security going forward.
One of the benefits of coding in the open, and ascribing to opens standards and protocols is transparency and the ability for all to interrogate the code.
Can that work? It's obviously partly also down to the culture of the product team. As another poster in this thread has highlighted, the commit messages are terse and not as helpful as they could be. Perhaps more openness re. intention would help.
Also, why are we finding out about this bug over 7 months after it was reported? Transparency regarding vulnerabilities needs to be at the forefront of the products communications if the team really are serious about security.
In terms of isolating bugs; what kind of testing is in place. TDD, functional testing, beta testing?
There are so many avenues which _could_ be discussed in relation to my initial question.
Your response, is unfortunately not providing anything helpful.
> One of the benefits of coding in the open, and ascribing to opens standards and protocols is transparency and the ability for all to interrogate the code.
--
If you produce a product that claims to be secure, the onus is on you to back up those claims.
Off the top my my head there are many ways to implement measures that can help to encourage security going forward.
One of the benefits of coding in the open, and ascribing to opens standards and protocols is transparency and the ability for all to interrogate the code.
Can that work? It's obviously partly also down to the culture of the product team. As another poster in this thread has highlighted, the commit messages are terse and not as helpful as they could be. Perhaps more openness re. intention would help.
Also, why are we finding out about this bug over 7 months after it was reported? Transparency regarding vulnerabilities needs to be at the forefront of the products communications if the team really are serious about security.
In terms of isolating bugs; what kind of testing is in place. TDD, functional testing, beta testing?
There are so many avenues which _could_ be discussed in relation to my initial question.
Your response, is unfortunately not providing anything helpful.