Re: The problem is that user management doesn't demand security

[George Capehart <capegeo () opengroup org>]

On Monday 08 December 2003 05:11 pm, Erik van Konijnenburg wrote:

<snip>

> Of course, if you're developing COTS software, you have a much
> tougher job selling security.

Agreed.  I was going to respond to David, but then saw this, and this, I 
think, is at the core of David's point.  I must admit that one of the 
tacit assumptions of my rant was that I was talking about systems that 
an organization was developing for its own use as opposed to 
manufacturing a product.  It it true, the variables and dynamics are 
different to a degree.  That is something interesting to think about, 
but in the end, I don't see that they're that different.  I admit that 
it seems that software consumers are *much* less discerning than are 
consumers of just about any other product, and I think that that is 
just a different way to say what David was saying.  (Notice that I 
*didn't* say that they were clueless or that they engaged in magical 
thinking . . . :-> but they are, and they do).  To me, the biggest 
difference between a consumer who buys a PC and the business owner of a 
system for which he/she has just ponied up several million dollars is 
the responsibilities the latter has to the stockholders of the company 
and risk that he/she has to manage.  If Joe Homeuser doesn't patch 
Outlook and IE, he just gets every virus and worm that comes along.  
Chances are, the only time it really affects him is when he notices his 
network access has slowed to a crawl, someone has used his credit card, 
or his system crashes and he can't reboot.  If the 
www.bigreatailer.com's online shopping application stores login ids and 
passwords in the clear in an online database, *that* is */bad/*.  
Several people should swing from the yardarms for that, and the first 
one should be business owner of the application (or maybe even the CEO) 
. . .  For me this all keeps coming back to accountability.  If the 
business owner of www.bigretailer.com's online application is held 
accountable for the security of the system, the system will be more 
secure than if he/she is not.  If software customers/end-users held 
software vendors accountable for the security of the software they buy, 
the software would be more secure than it is now.  I agree 
wholeheartedly with David's assertion that developers fail to design 
and build secure systems because of the economics of the situation.

However, I'm not willing to lay the "blame" on the developers.  The 
decision about how to design and build systems is a business decision.  
The developer may very well *want* to build a more robust decision than 
is specified in the requirements.  It's not their decision.  It's the 
business owner's decision.  *That's* why the certification and 
accreditation process is so important.  It is through that process that 
the business owner formally acknowledges *and* *accepts* residual risk.  
Right now, there's no accountability, so there's no penalty for 
building unsecure systems . . . be they in-house or COTS.  I agree 
also, that with COTS, the "security sell" is harder.  That requires 
educated consumers who will vote with their pocketbooks . . . I'm not 
holding my breath . . .

/g
-- 
George Capehart

capegeo at opengroup dot org

PGP Key ID: 0x63F0F642 available on most public key servers

"It is always possible to agglutenate multiple separate problems into a
 single complex interdependent solution.  In most cases this is a bad
 idea."  -- RFC 1925