> -----Original Message----- > From: [EMAIL PROTECTED] > Sent: Friday, April 29, 2005 2:32 PM > To: SC-L > Subject: [SC-L] Why Software Will Continue to Be Vulnerable > > This makes it highly unlikely that software companies are > about to start dumping large quantities of $$ into improving software quality. >
That's interesting. And yet it's even worse than that. Software security for the most part is not yet a *business* problem. Most businesses (at least, that I deal with) still see software security as a "feature" problem (ie.-we'll add it in version 1.1), an operational problem (e.g.-network security), or a process problem (e.g.--log review or some such nonsense that they don't likely do anyway). Even worse, security folks that don't understand the problem make the issue political as they try advance their careers by solving the problem with lots of "security appliance" widgets and scanners and such (which they don't understand either). So you have (1) lack of public perception that there is an issue, (2) lack of business perception that it's their issue, and (3) Information Security Managers/CISOs trying to solve a business problem with more technology. But all is not lost. There are still drivers: 1. Regulations. SB 1386 is starting to make a large impact in business perceptions. 2. Standards & Certifications: albeit there is really an utter lack of Standards/Certs for software security, business are starting to look for these; several I'm dealing with are looking for these as selling features. e.g.--Our widget is more security that Competitor Y's widget because it is certified "secure software". 3. Real world compromises. Take something as simple as XSS. How do you take is seriously when NO ONE is exploiting it? (I know of only a small handful of cases between 2000 to 2003.) But that all changed in 2004, particularly December 2004 when there were a string of advanced XSS attacks against financial institutions. (While there are some cool examples from 2004 that I use a lot in presentations none I repeat none have any meaningful loss numbers associated with them that I am aware of.) -ae
