Secure Coding mailing list archives
Re: Application Insecurity --- Who is at Fault?
From: Michael Silk <michaelslists () gmail com>
Date: Thu, 07 Apr 2005 03:08:32 +0100
On Apr 7, 2005 1:16 AM, Goertzel Karen <[EMAIL PROTECTED]> wrote:
I think it's a matter of SHARED reponsibility. Yes, the programmers and their managers are directly responsible. But it's consumers who create demand, and consumers who, out of ignorance, continue to fail to make the connection between bad software security and the viruses, privacy, and other issues about which they are becoming increasingly concerned.
Quite frankly I don't think consumers need to care at all about this. Do you, when buying chips, ask how they were cooked? Do you go back and inspect the kitchen? Do you ask for a report on their compliance to local health laws? No. The most you might do is glance at a box with some ticks on it. Why should software be any different? Why place the burden on consumers to now evalutate the security of your products? Not only don't they care, nor do they have the time, they wouldn't know where to start!
The consumer can't be held responsible for his ignorance...
Exactly!
Because practioners of "safe software" have not done a very good job of getting the message out in terms that consumers, vs. other software practioners and IT managers, can understand. I propose that the following is the kind of message that might make a consumer sit up and listen: "We understand that you buy software to get your work or online recreation done as easily as possible. But being able to get that work done WITHOUT leaving yourself wide open to exploitation and compromise of YOUR computer and YOUR personal information is also important, isn't it?
Answer: Duh.
"A number of software products, including some of the most popular ones, are full of bugs and other vulnerabilities that DO leave those programs wide open to being exploited by hackers so they can get at YOUR personal information, and take over YOUR computing resources.
Answer: So? I need to use them.
"Why is such software allowed to be sold at all? Because no-one regulates the SECURITY of the software products that these the companies put out, least of all the programmers who write that software. And, more importantly, because you the consumer hasn't been told before that you can make a difference. You can vote with your feet.
Answer: But how will I pay my GST next month if I can't use my accounting program? I don't want to waste time transferring all my data to another product...
"Demand that the software you use not be full of holes and 'undocumented features' that can be exploited by hackers.
Answer: How? I buy my software at a department store.
If we can start to raise consumer awareness
It's easy to blame the consumer - it means we programmers/management/whatever don't need to do anything until they ask us. But they will _never_ be able to ask all the right questions. _Never_. So to put that requirement on them is just our 'easy way out' of the problem. -- Michael
-- Karen Goertzel, CISSP Booz Allen Hamilton 703-902-6981 [EMAIL PROTECTED]-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk Sent: Wednesday, April 06, 2005 9:40 AM To: Kenneth R. van Wyk Cc: Secure Coding Mailing List Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? Quoting from the article: ''You can't really blame the developers,'' I couldn't disagree more with that ... It's completely the developers fault (and managers). 'Security' isn't something that should be thought of as an 'extra' or an 'added bonus' in an application. Typically it's just about programming _correctly_! The article says it's a 'communal' problem (i.e: consumers should _ask_ for secure software!). This isn't exactly true, and not really fair. Insecure software or secure software can exist without consumers. They don't matter. It's all about the programmers. The problem is they are allowed to get away with their crappy programming habits - and that is the fault of management, not consumers, for allowing 'security' to be thought of as something seperate from 'programming'. Consumers can't be punished and blamed, they are just trying to get something done - word processing, emailing, whatever. They don't need to - nor should. really. - care about lower-level security in the applications they buy. The programmers should just get it right, and managers need to get a clue about what is acceptable 'programming' and what isn't. Just my opinion, anyway. -- Michael On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:Greetings++, Another interesting article this morning, this time fromeSecurityPlanet.(Full disclosure: I'm one of their columnists.) Thearticle, by MelissaBleasdale and available at http://www.esecurityplanet.com/trends/article.php/3495431,is on the generalstate of application security in today's market. Not awhole lot of newmaterial there for SC-L readers, but it's still nice to seethe softwaresecurity message getting out to more and more people. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Re: [ot] Application Insecurity --- Who is at Fault?, (continued)
- Re: [ot] Application Insecurity --- Who is at Fault? Pete Shanahan (Apr 10)
- Re: Application Insecurity --- Who is at Fault? secureCoding2dave (Apr 07)
- RE: Application Insecurity --- Who is at Fault? Yousef Syed (Apr 10)
- RE: Application Insecurity --- Who is at Fault? Michael S Hines (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Jeff Williams (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Jeff Williams (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? ljknews (Apr 12)
- RE: Re: Application Insecurity --- Who is at Fault? ljknews (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)