RE: Re: The biggest thing affecting software security? People, apparently.

["Yousef Syed" <ysyed () dial pipex com>]

Numerous corporations have induction schemes for new employees. 
These should be designed to contain a significant portion referring to basic
security. 
If they covered little else than advice on how to use email appropriately,
it would be a huge benefit. (e.g. Don't open attachments unless you were
expecting it; Don't open/respond to junk mail; Teach them the tell-tale
signs that an attachment is a virus). 
Many corporations have these things in their policy and email usage
documents. They just aren't enforced! Partly because many managers are found
making the errors in the first place! A change in attitude is required. 

The best way to do this is to show/publicize the costs involved in when
viruses spread through a corporation; or when or if users' credit-card
details are compromised. 
Corporations won't change unless it is made worthwhile to them.




-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of John Manko
Sent: 30 June 2005 17:04
To: . .
Cc: [EMAIL PROTECTED]
Subject: [SC-L] Re: The biggest thing affecting software security? People,
apparently.

The reason there is such a hugh investment in technology is because we
can't rely on people for security.  No matter how much we try to
educate, the general populous disregard the significance of security.
In addition, trivial security implementation are met with trivial
exploits, something that will do the cracker just fine.

. . wrote:

> I wouldn't call 66 votes on your website Nick
> (http://www.mail-archive.com/sc-l%40securecoding.org/msg00758.html), a
> comprehensive tally. It would be interesting to get a larger audience
> involved in this type of question though.
>
> Regards,
>
> - webappsec
>
>
> On 6/29/05, Nick Murison <[EMAIL PROTECTED]> wrote:
>
>
> > Hi all,
> >
> > www.threatsandcountermeasures.com just closed their poll on what people
> > thought was the biggest thing affecting software security.  The results
were:
> > People:     80.3%
> > Process:    18.2%
> > Technology:  1.5%
> >
> > Results also available from
www.threatsandcountermeasures.com/PastPolls.aspx.
> > If this is the case, then why is there such a huge financial investment in
> > security technology?  Is the human factor expected to magically improves
once
> > we've got the "right" technology?
> >
> > For our new poll, Threats and Countermeasures are asking what people
> > consider to be the more secure web application development platform; JSP,
> > PHP, ColdFusion, ASP.NET or old-skool CGI.
> >
> > Best regards,
> > --
> > Nicholas John Murison
> > ~~~~~~~~~~~~~~~~~~~~~
> > http://www.urgusabic.net