Re: tunnel vs open a hole

[Adam Shostack <adam () homeport org>]

On Wed, Apr 09, 2003 at 08:44:45PM -0400, Marcus J. Ranum wrote:
| It's an across the board problem. I think there's enough blame to go around,
| honestly. :)
...
| not professionalism. Managers have to demand it, and have to support their
| engineers in taking the extra time to use the tools and follow the procedures
| to write rock-solid code. And they have to be able to help control executive's
| expectations as to schedules. Everyone, across the board, has to do their
| job right. So do the customers.

At the end of the day, its the customers, who need to have a good
reason to care about security, and good assurance that their spending
has an effect.  There's an argument to be made that customers are in
fact making the *right* decisions about their security spending.
After all, only one company, to my knowledge, has gone out of business
as a result of the failure of their security systems.  But worse, try
quantifying the effect of security spending:

Manager: "Is this system secure?"
Expert: "heck no!  Let me explain how I'd break in."
Manager: "Ok, what do we need to spend to fix that?"
Expert: "How much you got?  Ok, that'll do for a start."
Manager: "Ok, we just spent a million bucks.  Is this system secure?"
Expert: "heck no!  Let me explain how I'd break in."
Expert: "heck no!  Let me explain how I'd break in."

The rational manager doesn't spend money like that.  When we start to
quantify the effect of security spending, we might start to see more
of it.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards