Re: Re: Application Insecurity --- Who is at Fault?

[Michael Silk <michaelslists () gmail com>]

On 4/13/05, der Mouse <[EMAIL PROTECTED]> wrote:
> > > > I would question you if you suggested to me that you always assume
> > > > to _NOT_ include 'security' and only _DO_ include security if
> > > > someone asks.
> > > "Security" is not a single thing that is included or omitted.
> > Again, in my experience that is not true.  Programs that are labelled
> > 'Secure' vs something that isn't.
>
> *Labelling as* secure _is_ (or at least can be) something that is
> boolean, included or not.  The actual security behind it, if any, is
> what I was talking about.
>
> > In this case, there is a single thing - Security - that has been
> > included in one and not the other [in theory].
>
> Rather, I would say, there is a cluster of things that have been boxed
> up and labeled "security", and included or not.  What that box includes
> may not be the same between the two cases, even, never mind whether
> there are any security aspects that aren't in the box, or non-security
> aspects that are.
>
> > Also, anyone requesting software from a development company may say:
> > "Oh, is it 'Secure'?"  Again, the implication is that it is a single
> > thing included or omitted.
>
> Yes, that is the implication.  It is wrong.

I couldn't agree more! This is my whole point. Security isn't 'one
thing', but it seems the original article [that started this
discussion] implied that so that the blame could be spread out.

If you actually look at the actual problems you can easily blame the
programmers :)

-- Michael