Secure Coding mailing list archives
Re: Application Insecurity --- Who is at Fault?
From: Michael Silk <michaelslists () gmail com>
Date: Thu, 07 Apr 2005 03:09:39 +0100
Jeff, On Apr 7, 2005 11:00 AM, Jeff Williams <[EMAIL PROTECTED]> wrote:
I would think this might work, but I - if I ran a software development company - would be very scared about signing that contract... Even if I did everything right, who's to say I might not get blamed? Anyway, insurance would end up being the solution.What you *should* be scared of is a contract that's silent about security.
If you're silent you can claim ignorance :D But of course, I agree. "Security" should be mentioned under the part of applications "Working Right". What I meant I would be scared of, however, is that if the contract didn't fully specify what I would be taking responsibility for. I.e. I could be blamed if some misconfiguration on the server allowed a user to run my tool/component as admin and enter some information or do whatever. The contract would have to be specific (technical?) so-as to avoid problems like this. But I presume you have had far more experience with these issues than I have... can you share any w.r.t to problems like that? Because I can imagine [if I wasn't ethical] trying to blame a security problem in My Big Financial Website on a 3rd party tool if I could.
Courts will have to interpret (make stuff up) to figure out what the two parties intended. I strongly suspect courts will read in terms like "the software shall not have obvious security holes". They will probably rely on documents like the OWASP Top Ten to establish a baseline for trade practice. Contracts protect both sides. Have the discussion. Check out the OWASP Software Security Contract Annex for a template.(http://www.owasp.org/documentation/legal.html).
Yes, I've read the before, and even discussed it with you! :) -- Michael
--Jeff----- Original Message ----- From: "Michael Silk" <[EMAIL PROTECTED]> To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> Cc: "Secure Coding Mailing List" <[EMAIL PROTECTED]> Sent: Wednesday, April 06, 2005 9:40 AM Subject: Re: [SC-L] Application Insecurity --- Who is at Fault?Quoting from the article: ''You can't really blame the developers,'' I couldn't disagree more with that ... It's completely the developers fault (and managers). 'Security' isn't something that should be thought of as an 'extra' or an 'added bonus' in an application. Typically it's just about programming _correctly_! The article says it's a 'communal' problem (i.e: consumers should _ask_ for secure software!). This isn't exactly true, and not really fair. Insecure software or secure software can exist without consumers. They don't matter. It's all about the programmers. The problem is they are allowed to get away with their crappy programming habits - and that is the fault of management, not consumers, for allowing 'security' to be thought of as something seperate from 'programming'. Consumers can't be punished and blamed, they are just trying to get something done - word processing, emailing, whatever. They don't need to - nor should. really. - care about lower-level security in the applications they buy. The programmers should just get it right, and managers need to get a clue about what is acceptable 'programming' and what isn't. Just my opinion, anyway. -- Michael On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:Greetings++, Another interesting article this morning, this time from eSecurityPlanet. (Full disclosure: I'm one of their columnists.) The article, by Melissa Bleasdale and available at http://www.esecurityplanet.com/trends/article.php/3495431, is on the general state of application security in today's market. Not a whole lot of new material there for SC-L readers, but it's still nice to see the software security message getting out to more and more people. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Current thread:
- Re: Application Insecurity --- Who is at Fault?, (continued)
- Re: Application Insecurity --- Who is at Fault? Julie JCH Ryan, D.Sc. (Apr 08)
- Re: Application Insecurity --- Who is at Fault? Crispin Cowan (Apr 08)
- Re: Application Insecurity --- Who is at Fault? George Capehart (Apr 19)
- Re: [ot] Application Insecurity --- Who is at Fault? Pete Shanahan (Apr 10)
- Re: Application Insecurity --- Who is at Fault? secureCoding2dave (Apr 07)
- RE: Application Insecurity --- Who is at Fault? Yousef Syed (Apr 10)
- RE: Application Insecurity --- Who is at Fault? Michael S Hines (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Jeff Williams (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Jeff Williams (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 06)
- Re: Re: Application Insecurity --- Who is at Fault? Dave Paris (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? ljknews (Apr 12)
- RE: Re: Application Insecurity --- Who is at Fault? ljknews (Apr 11)
- Re: Re: Application Insecurity --- Who is at Fault? Michael Silk (Apr 11)