Ed Reed wrote: > Crispin Cowan wrote: > >> Crispin, now believes that users are fundamentally what holds back security >> >> > I was once berated on stage by Jamie Lewis for sounding like I was > placing the blame for poor security on customers themselves. > Fight back harder. Jamie is wrong. The free market is full of product offerings of every description. If users cared about security, they would buy different products than they do, and deploy them different than they do. QED, lack of security is user's fault.
> I have moved on, and believe, instead, that it is the economic > inequities - the mis-allocation of true costs - that is really to blame. > Since many users are economically motivated, this may explain why users don't care much about security :) A competitive free-market economy is really a large optimization engine for finding the most efficient way to do things, because the more efficient enterprises crush the less efficient. As such, I have a fair degree of faith that senior management is applying approximately the right amount of security to mitigate the threat that they face. If they are not doing so, they are at risk from competitors who do apply the right amount of security. What has made the security industry grow for the last decade has been the huge growth in connectivity. That has grow the attack surface, and hence the threat, that enterprises face. And that has caused enterprises to grow the amount of security they deploy. > Add the slowly-warmed pot phenomenon (apocryphal as it may be) - > customers don't jump out of the boiling pot because they're too invested > to walk away. > > Eventually I think they'll get fed up and there'll be a consumer uprising. > Why do you think it will be an uprising? Why not a gradual shift of the vendors just get better, exactly as fast as the users need them to? > Until then let's encourage better coding practices and secure designs > and deep thought about "what policy do I want enforced". > Technologists figure out how to do stuff. Economists and strategists figure out what to do. We can encourage all we want, but we are just shouting into the wind until enterprise users demand better security. Crispin _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
