Secure Coding mailing list archives
Re: The problem is that user management doesn't demand security
From: George Capehart <capegeo () opengroup org>
Date: Tue, 09 Dec 2003 20:30:01 +0000
On Monday 08 December 2003 05:11 pm, Erik van Konijnenburg wrote: <snip>
Of course, if you're developing COTS software, you have a much tougher job selling security.
Agreed. I was going to respond to David, but then saw this, and this, I think, is at the core of David's point. I must admit that one of the tacit assumptions of my rant was that I was talking about systems that an organization was developing for its own use as opposed to manufacturing a product. It it true, the variables and dynamics are different to a degree. That is something interesting to think about, but in the end, I don't see that they're that different. I admit that it seems that software consumers are *much* less discerning than are consumers of just about any other product, and I think that that is just a different way to say what David was saying. (Notice that I *didn't* say that they were clueless or that they engaged in magical thinking . . . :-> but they are, and they do). To me, the biggest difference between a consumer who buys a PC and the business owner of a system for which he/she has just ponied up several million dollars is the responsibilities the latter has to the stockholders of the company and risk that he/she has to manage. If Joe Homeuser doesn't patch Outlook and IE, he just gets every virus and worm that comes along. Chances are, the only time it really affects him is when he notices his network access has slowed to a crawl, someone has used his credit card, or his system crashes and he can't reboot. If the www.bigreatailer.com's online shopping application stores login ids and passwords in the clear in an online database, *that* is */bad/*. Several people should swing from the yardarms for that, and the first one should be business owner of the application (or maybe even the CEO) . . . For me this all keeps coming back to accountability. If the business owner of www.bigretailer.com's online application is held accountable for the security of the system, the system will be more secure than if he/she is not. If software customers/end-users held software vendors accountable for the security of the software they buy, the software would be more secure than it is now. I agree wholeheartedly with David's assertion that developers fail to design and build secure systems because of the economics of the situation. However, I'm not willing to lay the "blame" on the developers. The decision about how to design and build systems is a business decision. The developer may very well *want* to build a more robust decision than is specified in the requirements. It's not their decision. It's the business owner's decision. *That's* why the certification and accreditation process is so important. It is through that process that the business owner formally acknowledges *and* *accepts* residual risk. Right now, there's no accountability, so there's no penalty for building unsecure systems . . . be they in-house or COTS. I agree also, that with COTS, the "security sell" is harder. That requires educated consumers who will vote with their pocketbooks . . . I'm not holding my breath . . . /g -- George Capehart capegeo at opengroup dot org PGP Key ID: 0x63F0F642 available on most public key servers "It is always possible to agglutenate multiple separate problems into a single complex interdependent solution. In most cases this is a bad idea." -- RFC 1925
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes Jerry Connolly (Dec 03)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)
- Re: The problem is that user management doesn't demand security Julie Ryan (Dec 11)