> -----Original Message-----
> Sent: Friday, April 29, 2005 2:32 PM
> To: SC-L
> Subject: [SC-L] Why Software Will Continue to Be Vulnerable
> This makes it highly unlikely that software companies are 
> about to start dumping large quantities of $$ into improving software quality.

That's interesting. And yet it's even worse than that. Software security
for the most part is not yet a *business* problem. Most businesses
(at least, that I deal with) still see software security as a "feature" problem
(ie.-we'll add it in version 1.1), an operational problem (e.g.-network 
or a process problem (e.g.--log review or some such nonsense that they
don't likely do anyway). Even worse, security folks that don't understand
the problem make the issue political as they try advance their careers by
solving the problem with lots of "security appliance" widgets and scanners
and such (which they don't understand either).

So you have (1) lack of public perception that there is an issue, (2) lack
of business perception that it's their issue, and (3) Information Security
Managers/CISOs trying to solve a business problem with more technology.

But all is not lost. There are still drivers:

1. Regulations. SB 1386 is starting to make a large impact in
business perceptions.

2. Standards & Certifications: albeit there is really an utter lack
of Standards/Certs for software security, business are starting
to look for these; several I'm dealing with are looking for these
as selling features.

e.g.--Our widget is more security that Competitor Y's widget
because it is certified "secure software".

3. Real world compromises. Take something as simple as XSS. How
do you take is seriously when NO ONE is exploiting it? (I know of only
a small handful of cases between 2000 to 2003.) But that all changed
in 2004, particularly December 2004 when there were a string of
advanced XSS attacks against financial institutions.

(While there are some cool examples from 2004 that I use a lot in
presentations none I repeat none have any meaningful loss numbers
associated with them that I am aware of.)


Reply via email to