Secure Coding mailing list archives
Re: The problem is that user management doesn't demand security
From: "Jared W. Robinson" <jwr () xmission com>
Date: Wed, 10 Dec 2003 00:42:42 +0000
On Mon, Dec 08, 2003 at 01:34:42PM -0800, Dana Epp wrote:
We need to assume that the end user does not understand the risks, and our products must therefore be even stronger to mitigate threats to the computing platform. There is no real solution here until vendors and users start becoming accountable for their actions.
Maybe someone should popularize the idea of software contracts, wherein customers expect the vendor to supply a reasonable level of security for a certain time-frame.
I think its irresponsible to ship products that have KNOWN vulnerabilities without first associating that risk with appropriate safeguards for the end user. We wouldn't accept buying an unsafe car from someone like Ford, so why should we accept it in the field of software development?
Is a Ford Explorer less safe than a Volvo station wagon? Under what conditions? If it is less safe, does that mean that Ford is irresponsible for selling the Explorer to customers? Or does it mean that customers are responsible for their own safety because they made the purchasing decision? So, I guess you're saying that customers need to know the risks of running software up-front so that they can make informed purchasing decisions. Unfortunately, risks tend to change rapidly in the software world. How do customers deal with changing threats? How do they keep informed? Is the vendor liable when a new threat is introduced that makes the software unsafe? Or should the customer fork over more money for a patched or redesigned version? I believe that security is a process, not a state of being. Yes, we need to do a better job at educating people. Yes, we may need more secure software. But security isn't the only risk to consider when delivering products -- it's one of many risks that should be considered.
Economics towards the vendor is no longer a good enough reason. Studies are showing the significant impact and cost that bugs have in the different stages of design, development and testing and are astronomical as they have to be applied to the customer. It is much to costly to both the vendor and the customer to routinely patch weak designs in the field.
If that is true, then economics *will* sort it out. In fact, it *is* sorting it out right now. It may not happen as quickly as we want it to, but it is happening. - Jared Robinson
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes Jerry Connolly (Dec 03)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)
- Re: The problem is that user management doesn't demand security Julie Ryan (Dec 11)