RE: Application Insecurity --- Who is at Fault?

["Goertzel Karen" <goertzel_karen () bah com>]

I think it's a matter of SHARED reponsibility. Yes, the programmers and
their managers are directly responsible. But it's consumers who create
demand, and consumers who, out of ignorance, continue to fail to make
the connection between bad software security and the viruses, privacy,
and other issues about which they are becoming increasingly concerned.

The consumer can't be held responsible for his ignorance...at least not
yet. Because practioners of "safe software" have not done a very good
job of getting the message out in terms that consumers, vs. other
software practioners and IT managers, can understand.

I propose that the following is the kind of message that might make a
consumer sit up and listen:

"We understand that you buy software to get your work or online
recreation done as easily as possible. But being able to get that work
done WITHOUT leaving yourself wide open to exploitation and compromise
of YOUR computer and YOUR personal information is also important, isn't
it? 

"A number of software products, including some of the most popular ones,
are full of bugs and other vulnerabilities that DO leave those programs
wide open to being exploited by hackers so they can get at YOUR personal
information, and take over YOUR computing resources. 

"Why is such software allowed to be sold at all? Because no-one
regulates the SECURITY of the software products that these the companies
put out, least of all the programmers who write that software. And, more
importantly, because you the consumer hasn't been told before that you
can make a difference. You can vote with your feet. 

"Demand that the software you use not be full of holes and 'undocumented
features' that can be exploited by hackers. When you go out to buy a
lawn mower, you wouldn't buy a model that has a well-published track
record of its blades flying off. By the same token, you shouldn't buy a
software package that has a well-documented track record of being
successfully compromised by viruses, Trojan horses, and other hacker
tricks."

If we can start to raise consumer awareness in terms that consumers can
understand (avoiding the arcane terminology of software practitioners),
maybe we can start reducing demand for notoriously insecure software
products, and increasing demand for software that is developed with
security in mind.

--
Karen Goertzel, CISSP
Booz Allen Hamilton
703-902-6981
[EMAIL PROTECTED]  

> -----Original Message-----
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk
> Sent: Wednesday, April 06, 2005 9:40 AM
> To: Kenneth R. van Wyk
> Cc: Secure Coding Mailing List
> Subject: Re: [SC-L] Application Insecurity --- Who is at Fault?
>
> Quoting from the article:
> ''You can't really blame the developers,''
>
> I couldn't disagree more with that ...
>
> It's completely the developers fault (and managers). 'Security' isn't
> something that should be thought of as an 'extra' or an 'added bonus'
> in an application. Typically it's just about programming _correctly_!
>
> The article says it's a 'communal' problem (i.e: consumers should
> _ask_ for secure software!). This isn't exactly true, and not really
> fair. Insecure software or secure software can exist without
> consumers. They don't matter. It's all about the programmers. The
> problem is they are allowed to get away with their crappy programming
> habits - and that is the fault of management, not consumers, for
> allowing 'security' to be thought of as something seperate from
> 'programming'.
>
> Consumers can't be punished and blamed, they are just trying to get
> something done - word processing, emailing, whatever. They don't need
> to - nor should. really. - care about lower-level security in the
> applications they buy. The programmers should just get it right, and
> managers need to get a clue about what is acceptable 'programming' and
> what isn't.
>
> Just my opinion, anyway.
>
> -- Michael
>
>
> On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:
> > Greetings++,
> >
> > Another interesting article this morning, this time from 
> eSecurityPlanet.
> > (Full disclosure: I'm one of their columnists.)  The 
> article, by Melissa
> > Bleasdale and available at
> > http://www.esecurityplanet.com/trends/article.php/3495431, 
> is on the general
> > state of application security in today's market.  Not a 
> whole lot of new
> > material there for SC-L readers, but it's still nice to see 
> the software
> > security message getting out to more and more people.
> >
> > Cheers,
> >
> > Ken van Wyk
> > --
> > KRvW Associates, LLC
> > http://www.KRvW.com