Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Application Insecurity --- Who is at Fault?

From: Michael Silk <michaelslists () gmail com>
Date: Thu, 07 Apr 2005 03:09:39 +0100
Jeff,

On Apr 7, 2005 11:00 AM, Jeff Williams <[EMAIL PROTECTED]> wrote:

I would think this might work, but I - if I ran a software development
company - would be very scared about signing that contract... Even if
I did everything right, who's to say I might not get blamed? Anyway,
insurance would end up being the solution.


What you *should* be scared of is a contract that's silent about security.


If you're silent you can claim ignorance :D

But of course, I agree. "Security" should be mentioned under the part
of applications "Working Right".

What I meant I would be scared of, however, is that if the contract
didn't fully specify what I would be taking responsibility for. I.e. I
could be blamed if some misconfiguration on the server allowed a user
to run my tool/component as admin and enter some information or do
whatever.

The contract would have to be specific (technical?) so-as to avoid
problems like this. But I presume you have had far more experience
with these issues than I have... can you share any w.r.t to problems
like that?

Because I can imagine [if I wasn't ethical] trying to blame a security
problem in My Big Financial Website on a 3rd party tool if I could.



Courts will have to interpret (make stuff up) to figure out what the two
parties intended.  I strongly suspect courts will read in terms like "the
software shall not have obvious security holes".  They will probably rely on
documents like the OWASP Top Ten to establish a baseline for trade practice.

Contracts protect both sides.  Have the discussion.  Check out the OWASP
Software Security Contract Annex for a
template.(http://www.owasp.org/documentation/legal.html).


Yes, I've read the before, and even discussed it with you! :)

-- Michael



--Jeff




----- Original Message -----
From: "Michael Silk" <[EMAIL PROTECTED]>
To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
Cc: "Secure Coding Mailing List" <[EMAIL PROTECTED]>
Sent: Wednesday, April 06, 2005 9:40 AM
Subject: Re: [SC-L] Application Insecurity --- Who is at Fault?


Quoting from the article:
''You can't really blame the developers,''

I couldn't disagree more with that ...

It's completely the developers fault (and managers). 'Security' isn't
something that should be thought of as an 'extra' or an 'added bonus'
in an application. Typically it's just about programming _correctly_!

The article says it's a 'communal' problem (i.e: consumers should
_ask_ for secure software!). This isn't exactly true, and not really
fair. Insecure software or secure software can exist without
consumers. They don't matter. It's all about the programmers. The
problem is they are allowed to get away with their crappy programming
habits - and that is the fault of management, not consumers, for
allowing 'security' to be thought of as something seperate from
'programming'.

Consumers can't be punished and blamed, they are just trying to get
something done - word processing, emailing, whatever. They don't need
to - nor should. really. - care about lower-level security in the
applications they buy. The programmers should just get it right, and
managers need to get a clue about what is acceptable 'programming' and
what isn't.

Just my opinion, anyway.

-- Michael


On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:

Greetings++,

Another interesting article this morning, this time from
eSecurityPlanet.
(Full disclosure: I'm one of their columnists.)  The article, by
Melissa
Bleasdale and available at
http://www.esecurityplanet.com/trends/article.php/3495431, is on the
general
state of application security in today's market.  Not a whole lot of
new
material there for SC-L readers, but it's still nice to see the
software
security message getting out to more and more people.

Cheers,

Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com
Previous By Date Next
Previous By Thread Next

Current thread: