Re: Application Insecurity --- Who is at Fault?

[Michael Silk <michaelslists () gmail com>]

On Apr 7, 2005 1:16 AM, Goertzel Karen <[EMAIL PROTECTED]> wrote:
> I think it's a matter of SHARED reponsibility. Yes, the programmers and
> their managers are directly responsible. But it's consumers who create
> demand, and consumers who, out of ignorance, continue to fail to make
> the connection between bad software security and the viruses, privacy,
> and other issues about which they are becoming increasingly concerned.

Quite frankly I don't think consumers need to care at all about this.

Do you, when buying chips, ask how they were cooked? Do you go back
and inspect the kitchen? Do you ask for a report on their compliance
to local health laws? No. The most you might do is glance at a box
with some ticks on it.

Why should software be any different? Why place the burden on
consumers to now evalutate the security of your products? Not only
don't they care, nor do they have the time, they wouldn't know where
to start!


> The consumer can't be held responsible for his ignorance...

Exactly!


> Because practioners of "safe software" have not done a very good
> job of getting the message out in terms that consumers, vs. other
> software practioners and IT managers, can understand.
>
> I propose that the following is the kind of message that might make a
> consumer sit up and listen:
>
> "We understand that you buy software to get your work or online
> recreation done as easily as possible. But being able to get that work
> done WITHOUT leaving yourself wide open to exploitation and compromise
> of YOUR computer and YOUR personal information is also important, isn't
> it?

Answer: Duh.

 
> "A number of software products, including some of the most popular ones,
> are full of bugs and other vulnerabilities that DO leave those programs
> wide open to being exploited by hackers so they can get at YOUR personal
> information, and take over YOUR computing resources.

Answer: So? I need to use them.

 
> "Why is such software allowed to be sold at all? Because no-one
> regulates the SECURITY of the software products that these the companies
> put out, least of all the programmers who write that software. And, more
> importantly, because you the consumer hasn't been told before that you
> can make a difference. You can vote with your feet.

Answer: But how will I pay my GST next month if I can't use my
accounting program? I don't want to waste time transferring all my
data to another product...


> "Demand that the software you use not be full of holes and 'undocumented
> features' that can be exploited by hackers.

Answer: How? I buy my software at a department store.

 
> If we can start to raise consumer awareness 

It's easy to blame the consumer - it means we
programmers/management/whatever don't need to do anything until they
ask us. But they will _never_ be able to ask all the right questions.
_Never_. So to put that requirement on them is just our 'easy way out'
of the problem.

-- Michael

 
> --
> Karen Goertzel, CISSP
> Booz Allen Hamilton
> 703-902-6981
> [EMAIL PROTECTED]
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk
> > Sent: Wednesday, April 06, 2005 9:40 AM
> > To: Kenneth R. van Wyk
> > Cc: Secure Coding Mailing List
> > Subject: Re: [SC-L] Application Insecurity --- Who is at Fault?
> >
> > Quoting from the article:
> > ''You can't really blame the developers,''
> >
> > I couldn't disagree more with that ...
> >
> > It's completely the developers fault (and managers). 'Security' isn't
> > something that should be thought of as an 'extra' or an 'added bonus'
> > in an application. Typically it's just about programming _correctly_!
> >
> > The article says it's a 'communal' problem (i.e: consumers should
> > _ask_ for secure software!). This isn't exactly true, and not really
> > fair. Insecure software or secure software can exist without
> > consumers. They don't matter. It's all about the programmers. The
> > problem is they are allowed to get away with their crappy programming
> > habits - and that is the fault of management, not consumers, for
> > allowing 'security' to be thought of as something seperate from
> > 'programming'.
> >
> > Consumers can't be punished and blamed, they are just trying to get
> > something done - word processing, emailing, whatever. They don't need
> > to - nor should. really. - care about lower-level security in the
> > applications they buy. The programmers should just get it right, and
> > managers need to get a clue about what is acceptable 'programming' and
> > what isn't.
> >
> > Just my opinion, anyway.
> >
> > -- Michael
> >
> >
> > On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote:
> > > Greetings++,
> > >
> > > Another interesting article this morning, this time from
> > eSecurityPlanet.
> > > (Full disclosure: I'm one of their columnists.)  The
> > article, by Melissa
> > > Bleasdale and available at
> > > http://www.esecurityplanet.com/trends/article.php/3495431,
> > is on the general
> > > state of application security in today's market.  Not a
> > whole lot of new
> > > material there for SC-L readers, but it's still nice to see
> > the software
> > > security message getting out to more and more people.
> > >
> > > Cheers,
> > >
> > > Ken van Wyk
> > > --
> > > KRvW Associates, LLC
> > > http://www.KRvW.com