Secure Coding mailing list archives
Re: The problem is that user management doesn't demand security
From: Erik van Konijnenburg <ekonijn () xs4all nl>
Date: Mon, 08 Dec 2003 23:49:30 +0000
On Mon, Dec 08, 2003 at 10:00:01AM -0500, David A. Wheeler wrote:
I would argue that the problems you noted - insufficient management attention to risk - are serious, but are fundamentally an _END-USER_ management issue. Managers either don't ask if the products are sufficiently secure for their needs, or are satisfied with superficial answers (Common Criteria evaluated is good enough; please don't ask about the evaluation EAL level, or
Yep, users can be frustrating, user management doubly so, they just won't specify security requirements up front. On the other hand, if a project manager *asks* the user manager for a cost assessment of a security incident, chances are he'll get an informed answer: "this is just a PR site, nothing confidential, but downtime or defacement would have a definite cost in lost image." Starting from there, you can discuss the likelihood of various incidents, the amount of protection you need, and the acceptable cost to achieve that protection. Then you compromise to cut costs, just as you compromise on functional requirements. Treat security as one more aspect to be covered during requirement analysis, and you may have an opportunity to get a consious decision on security from end user management. They won't use terms like "EAL3 or better", and you may not like the amount of security they're willing to settle for, but it can be a conscious decision. Of course, if you're developing COTS software, you have a much tougher job selling security. --erik
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes Jerry Connolly (Dec 03)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)
- Re: The problem is that user management doesn't demand security Julie Ryan (Dec 11)