I think it's a matter of SHARED reponsibility. Yes, the programmers and their managers are directly responsible. But it's consumers who create demand, and consumers who, out of ignorance, continue to fail to make the connection between bad software security and the viruses, privacy, and other issues about which they are becoming increasingly concerned.
The consumer can't be held responsible for his ignorance...at least not yet. Because practioners of "safe software" have not done a very good job of getting the message out in terms that consumers, vs. other software practioners and IT managers, can understand. I propose that the following is the kind of message that might make a consumer sit up and listen: "We understand that you buy software to get your work or online recreation done as easily as possible. But being able to get that work done WITHOUT leaving yourself wide open to exploitation and compromise of YOUR computer and YOUR personal information is also important, isn't it? "A number of software products, including some of the most popular ones, are full of bugs and other vulnerabilities that DO leave those programs wide open to being exploited by hackers so they can get at YOUR personal information, and take over YOUR computing resources. "Why is such software allowed to be sold at all? Because no-one regulates the SECURITY of the software products that these the companies put out, least of all the programmers who write that software. And, more importantly, because you the consumer hasn't been told before that you can make a difference. You can vote with your feet. "Demand that the software you use not be full of holes and 'undocumented features' that can be exploited by hackers. When you go out to buy a lawn mower, you wouldn't buy a model that has a well-published track record of its blades flying off. By the same token, you shouldn't buy a software package that has a well-documented track record of being successfully compromised by viruses, Trojan horses, and other hacker tricks." If we can start to raise consumer awareness in terms that consumers can understand (avoiding the arcane terminology of software practitioners), maybe we can start reducing demand for notoriously insecure software products, and increasing demand for software that is developed with security in mind. -- Karen Goertzel, CISSP Booz Allen Hamilton 703-902-6981 [EMAIL PROTECTED] > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Michael Silk > Sent: Wednesday, April 06, 2005 9:40 AM > To: Kenneth R. van Wyk > Cc: Secure Coding Mailing List > Subject: Re: [SC-L] Application Insecurity --- Who is at Fault? > > Quoting from the article: > ''You can't really blame the developers,'' > > I couldn't disagree more with that ... > > It's completely the developers fault (and managers). 'Security' isn't > something that should be thought of as an 'extra' or an 'added bonus' > in an application. Typically it's just about programming _correctly_! > > The article says it's a 'communal' problem (i.e: consumers should > _ask_ for secure software!). This isn't exactly true, and not really > fair. Insecure software or secure software can exist without > consumers. They don't matter. It's all about the programmers. The > problem is they are allowed to get away with their crappy programming > habits - and that is the fault of management, not consumers, for > allowing 'security' to be thought of as something seperate from > 'programming'. > > Consumers can't be punished and blamed, they are just trying to get > something done - word processing, emailing, whatever. They don't need > to - nor should. really. - care about lower-level security in the > applications they buy. The programmers should just get it right, and > managers need to get a clue about what is acceptable 'programming' and > what isn't. > > Just my opinion, anyway. > > -- Michael > > > On Apr 6, 2005 5:15 AM, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote: > > Greetings++, > > > > Another interesting article this morning, this time from > eSecurityPlanet. > > (Full disclosure: I'm one of their columnists.) The > article, by Melissa > > Bleasdale and available at > > http://www.esecurityplanet.com/trends/article.php/3495431, > is on the general > > state of application security in today's market. Not a > whole lot of new > > material there for SC-L readers, but it's still nice to see > the software > > security message getting out to more and more people. > > > > Cheers, > > > > Ken van Wyk > > -- > > KRvW Associates, LLC > > http://www.KRvW.com > > > > >