[This message was posted by Simon Flannery of Thomson Routers <[email protected]> to the "Information Security" discussion forum at http://fixprotocol.org/discuss/3. You can reply to it on-line at http://fixprotocol.org/discuss/read/1b199888 - PLEASE DO NOT REPLY BY MAIL.]
Wow, great discussion! You've added some great points! But remember: information == money in this age. :) > Hi Ryan, > > I think we're both on the same page - I'm also happy to agree with any number > of your points on this. I didn't mean to denigrate anything you had said in > an earlier post - my point is that you are taking a big risk when you rely on > a firm that doesn't specialize in security to provide you with a solution for > a security problem. > > Granted, this hinges on how critical this is for someone - if you just need > to check the 'secure' box to make the lawyers happy and you don't really > care, then anybody's product is going to fit the bill. However, if you're > really concerned about the potential for a compromise of some sort, that's > where the situation changes: > > Most people don't have the resources to perform in-house audits to determine > the level of security provided by product X, Y, or Z. You have to take a > vendor's word on it, so the key thing here is that if you tell me your > product supports SSL, but I can't audit it and you can't provide me with an > exhaustive audit from a trusted third-party, then I'm really forced to choose > between the known quantity of a product from a reputable security firm and a > product from a guy who assures me everything is ok, but can't really > demonstrate it apart from waving his hands... > > As computer geeks, you know, and I know, that it's pretty easy to integrate > support for OpenSSL into a product, and so on. But if we're not giving the > source code to our customer - and they can't afford to audit our systems > anyway, how do they know what's going on? > > If, on the other hand, you go to Cisco or one of the other big firms, you get > a lot of assurance - you know that security is their core competency. You > also know that the the government considers large hardware vendors, like > Cisco, to be a part of our national security infrastructure, and as such, > they get lots of help, consulting and advice (from outfits that have really > short names) related to ensuring that their systems are as secure as they can > be. This doesn't make them infallible, but I'm a lot more comfortable knowing > that a system has survived an NCSC audit, etc. than just hearing a general > purpose programmer tell me that his software is secure. > > Of course, like I said - a lot of this depends on the level of risk that > you're concerned about. If you are just worried that a script kiddie may > intercept some traffic and post customer information on the internet that > might embarass you - then any solution is probably going to be good enough to > deal with that adversary. On the other hand, if you're concerned that a > skilled, dedicated adversary may try to sneak in and compromise your > encryption technology (for whatever reason) it's going to be more difficult > for him to monkey with hardware than it is to convince your software to start > sending things in plain text... > > Of course, I'm a bit paranoid, but only from experiences in a different > sector of the security world - where these sorts of things happen quite > frequently. The reality is that most financial firms will never face these > sorts of threats, as the bad guys want money more than they want information, > and there are easier ways for them to get the money :-) > > > > [You can unsubscribe from this discussion group by sending a message to mailto:[email protected]] -- You received this message because you are subscribed to the Google Groups "Financial Information eXchange" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/fix-protocol?hl=en.
