Secure Coding mailing list archives
Economics of Software Vulnerabilities
From: crispin at novell.com (Crispin Cowan)
Date: Mon, 19 Mar 2007 14:47:08 -0600
Gary McGraw wrote:
Very interesting. Crispin is in the throes of big software. Anybody want to help me mount a rescue campaign from jamaica?
It is the art of managing upwards. To get my boss to do what I want him to do, I have to encourage him, I can't just tell him. And his boss. And his boss. And /his/ boss is the customer. So with a very long pole with hinges in it, I have to try to get the customer to do what I want. With that kind of interface to the customer, the only way to get the customer to be more secure is to make being more secure the path of least resistance. Make the secure way of doing things so easy that anything else is just dumb, and the users will migrate to the secure way. This is a highly unnatural thing to do. Security is the business of saying "no" to access requests, and so is mostly viewed as being the enemy of convenience. However, it can be done. SSH did it; logging in to a remote host is easier with SSH than with telnet or rlogin, because it lets you place public keys (so you don't even have to type a password) and tunnels your X11 stuff so that remote graphical stuff "just works". All this is why ease of use was the #1 design goal of my AppArmor product. Grey beards love to go around quoting the fable that you can't add security to an existing system, you have to design it in. Well guess what; you can't add ease of use to an existing system either, it has to be designed in. And if you fail to provide for ease of use, then users won't use it, at which point the security value of your solution drops to zero. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Training at CanSec West http://cansecwest.com/dojoapparmor.html
Current thread:
- Economics of Software Vulnerabilities, (continued)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 20)
- Economics of Software Vulnerabilities Wall, Kevin (Mar 20)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities security curmudgeon (Mar 23)
- Economics of Software Vulnerabilities Gunnar Peterson (Mar 23)
- Economics of Software Vulnerabilities Michael S Hines (Mar 20)
- Economics of Software Vulnerabilities ljknews (Mar 20)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 27)