Re: Yoran on the state of software security

[Nick FitzGerald <nick () virus-l demon co uk>]

"Greenarrow 1" <[EMAIL PROTECTED]> wrote:

> I feel government should not become involved with the internet and/or its
> security.  For one if people look at the governments security most 
> departments have a grade of C or below.  ...

Not that I'm trying to suggest that "the government" -- I guess you 
really mean "the US government" so I'll add "or any other government"
-- necessarily should be the driver of such things, but the only reason 
you know how bad ("C or below" you say) your government departments are 
at IT security is because they actually care enough to one, try to 
measure it and two, publish the results.

> ...  Would you want someone like that
> telling you how to secure programming?

Well, there is plenty of anecdotal evidence that suggests the rest of 
the private sector is _worse_ than the government sector, so I strongly 
doubt that self-policing will work!

And worse still, the private sector is _heavily_ motivated to hide that 
fact.  If the (US) private sector really was going to be the saviour of 
IT security, it would have been rampantly in favour of recent attempts 
to add IT security compliance statements to federal reporting documents 
for publicly listed and traded companies (or have been championing even 
stronger measures!), but what did it do -- that's right, lobbied really 
hard to get such measures and any suggestion of them removed.

If the private sector really was vested in IT security concerns it 
would be rooting for removal of the liability exempt status that almost 
exclusively applies to computer software and its developers.  What 
other "responsible" professional business sector has got away with such 
a scam for so long?  And don't try to sell me that "but it will depress 
innovation" BS -- "we" don't have to beat the stinking pinko commie rat-
b*stards to the moon, or anywhere else, any more so why are so many 
software developers (and their political pointsmen) still saddled with 
such a short-sighted, Cold War mentality that is clearly a significant 
anti-quality, and therefore anti-security, driver?  Oh, and the "but it 
will kill open-source" BS'ers can butt out too -- if your code is that 
bad that you won't take _any_ responsibility for it, don't publish it 
_regardless_ of the licensing terms and, if it is any good, what 
possible damage (apart from to your reputation and ongoing business 
viability) can liability to, say, the cost of the software, do to you?  
(Of course, such a move may have the effect of "forcing" most large s/w 
developers to adopt freeware or open source approaches to make their 
insurance premiums affordable, but that would not necessarily be a bad 
result.)

Why hasn't the private sector been actively in favour (beyond actively 
mouthing support for the general notion that better IT security is 
something we all need) of public IT security reporting standards, 
removing software's "liability exempt" status, or any other concrete 
measures to get a handle on the scale of the problem, provide means to 
measure whether we're slipping, holding or improving and so on?

It wouldn't be that there are vested financial interests in treating us 
like mushrooms (keeping us in the dark and feeding us sh*t)?

Surely not!  How scurrilous a suggestion...

...

Above I said your government departments "care enough" to actually try 
to provide some IT security metrics.   In fact, I'm sure they don't 
care for it at all and would prefer, like their private sector 
counterparts, to not have to do anything of the sort.  The reason they 
"care enough" to make such measurements is simply because they are  
required to do so.  I would just love to see how the high and mighty, 
reputedly IT security loving, US private sector stacked up against the 
same metrics...


Regards,

Nick FitzGerald