Re: Application Insecurity --- Who is at Fault?

["Jeff Williams" <jeff.williams () aspectsecurity com>]

Michael,

Don't hate the player, hate the game (quoting Ice-T). Developers aren't 
going to just write code differently because we say so. Speaking frankly, 
today there's really no incentive for them to write code securely. And no 
amount of guidelines, super-complex code scanners, or jumping up and down is 
going to change that.


The software market is seriously broken.  There are dramatic asymmetric 
information problems (see 
http://nobelprize.org/economics/laureates/2001/public.html) that make it 
impossible to tell secure software from junk.  There are also many 
externalities (see http://fpc.state.gov/documents/organization/43393.pdf) 
that prevent those who take risks from bearing the costs.


Nothing will change until we intervene in the software market in ways that 
fix these problems. There are many ways that government and industry can 
change the market, some more intrusive than others. Calls for a product 
liabilty regime from Schneier and others are interesting, but not likely to 
succeed politically.  Perhaps this is changing with the recent disclosure 
scandals.


See you at OWASP England.

--Jeff

[Ed. Ice-T quotes in SC-L...  What hath we wrought?!  :-\  KRvW]

----- Original Message ----- 
From: "Michael Silk" <[EMAIL PROTECTED]>

To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]>
Cc: "Secure Coding Mailing List" <[EMAIL PROTECTED]>
Sent: Wednesday, April 06, 2005 9:40 AM
Subject: Re: [SC-L] Application Insecurity --- Who is at Fault?



Quoting from the article:
''You can't really blame the developers,''

I couldn't disagree more with that ...

It's completely the developers fault (and managers). 'Security' isn't
something that should be thought of as an 'extra' or an 'added bonus'
in an application. Typically it's just about programming _correctly_!

The article says it's a 'communal' problem (i.e: consumers should
_ask_ for secure software!). This isn't exactly true, and not really
fair. Insecure software or secure software can exist without
consumers. They don't matter. It's all about the programmers. The
problem is they are allowed to get away with their crappy programming
habits - and that is the fault of management, not consumers, for
allowing 'security' to be thought of as something seperate from
'programming'.

Consumers can't be punished and blamed, they are just trying to get
something done - word processing, emailing, whatever. They don't need
to - nor should. really. - care about lower-level security in the
applications they buy. The programmers should just get it right, and
managers need to get a clue about what is acceptable 'programming' and
what isn't.

Just my opinion, anyway.

-- Michael


On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:

Greetings++,

Another interesting article this morning, this time from eSecurityPlanet.
(Full disclosure: I'm one of their columnists.)  The article, by Melissa
Bleasdale and available at
http://www.esecurityplanet.com/trends/article.php/3495431, is on the 
general

state of application security in today's market.  Not a whole lot of new
material there for SC-L readers, but it's still nice to see the software
security message getting out to more and more people.

Cheers,

Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com