RE: The biggest thing affecting software security? People, apparently.

[<PPowenski () oag com>]

Your final statement still focus's only on technology i.e. educate
programmers.
Yes I agree they can play a significant part in security applications
but in my experience
the common theme of making everything transparent for the users is utter
nonesene.
Ordinary users should be educated in security principles to assist in
understanding the value of data and how their actions could implicate an
exposure. Especially since we still need to setup users as power users
or admins in order to operate many third party apps.

Everyone receiving training appropriate for their role in informantion
management and security.

A balance for all responsible parties involved.

Cheers
paul powenski CISSP

-----Original Message-----
From: Irene Abezgauz [mailto:[EMAIL PROTECTED]
Sent: 30 June 2005 08:43
To: Nick Murison; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: Re: The biggest thing affecting software security? People,
apparently.


Nick,

First of all, notice the results are based on the opinions of 66 people,
which hardly makes it a comprehensive survey.

Another thing, people and mistakes will always be there, but technology
improves to ensure people can make less mistakes and are given less
space and freedom to make such. Better technology provides means for
people to make less mistakes. It just seems less obvious that it's the
technology that is making the difference when it's working properly. If
the technology wasn't there people would make a lot more mistakes while
reinventing a less secure wheel.

Imagine a world with no commercial session management products. A world
dominated by home-grown session mechanisms. Oh, btw, that world also
does not have any cryptographic infrastructure. Wake up from the
nightmare, and realize technology *is* important, it is just easy to
overlook when it's there. It is the same as saying that people are the
biggest cause of road kills, indeed, they are. On the other hand,
imagine the same people driving bumpy roads with no traffic lights, no
stop signs, and no lane markings. It is easy to say "why are they
developing better roads and thinking of ways to improve, while people
are the largest factor". Because people *need* better infrastructures
and better technology to keep their mistakes in control.

Btw, technology is no good when not used properly, so yes, education is
very, very, very important. That is why I strongly believe programmers
should be educated for security.

Irene
-----------------------
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com


On 6/29/05, Nick Murison <[EMAIL PROTECTED]> wrote:
> Hi all,
>
> www.threatsandcountermeasures.com just closed their poll on what
> people thought was the biggest thing affecting software security.  The

> results were:
>
> People:     80.3%
> Process:    18.2%
> Technology:  1.5%
>
> Results also available from
> www.threatsandcountermeasures.com/PastPolls.aspx.
>
> If this is the case, then why is there such a huge financial
> investment in security technology?  Is the human factor expected to
> magically improves once we've got the "right" technology?
>
> For our new poll, Threats and Countermeasures are asking what people
> consider to be the more secure web application development platform;
> JSP, PHP, ColdFusion, ASP.NET or old-skool CGI.
>
> Best regards,
> --
> Nicholas John Murison
> ~~~~~~~~~~~~~~~~~~~~~
> http://www.urgusabic.net
NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or
confidential information.
If you are not one of the intended recipients, please notify the sender immediately and destroy
this e-mail and
attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email
or attachment(s).
While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd
and its affiliate
companies cannot guarantee that attachments are virus-free or are compatible with your systems,
and does not accept
liability in respect of viruses or computer problems experienced. Thank you.