Re: [SC-L] Customer Demand
Regulation will never be as effective as we need and I believe will ultimately be counterproductive as many companies use "compliant" as an excuse to stop. (It may get them to start, but once started, we need them to go farther.) In regards to cigarettes, they are still a huge problem in many places. Many become hooked all the time, in spite of all the education and efforts. It has been far from effective. Sure it isn't hip to smoke in some circles, but not all circles feel that way. The analogy would be interesting to explore. - Writing insecure code does give an addictive rush - you can do it faster! (Smoking produces a positive experience, at least at some point.) - Peer support is there - since most of a developer's peers are unlikely to develop securely. (Peers push smoking, regardless of the messages "society" sends.) - Taxing it won't eliminate it - both will become a "cost of doing business" for some. As to seatbelts - the same problem persists. We wouldn't need programs like "click-it or ticket" if past communications were successful. I could go into details, but I don't want to argue the seatbelt issue. The main factor is that I don't trust government to push much of anything successfully. It may do some things, but it is incredibly inefficient most of the time. :) Your point about insurance is reasonable, though insurance companies will have to decide they are going to do that for their own self-interest before it is effective. Even then, we may end up with something like the modern health care system (including lots of unnecessary tests) rather than security nirvana. I agree that changing consumer behavior is not sufficient, but it is necessary. The other stuff will not work without it. Look at our modern "war on drugs" (including tobacco). Changing demand is key, not supply. People will write secure code when those who drive them (ultimately the customer) demand it. Even if I am an enlightened CEO, I am not going to survive and thrive writing secure code if doing so makes me cost more than a competitor without giving me a clear, fairly immediate business advantage - that same demand. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting "Goertzel, Karen [USA]" : I think we need a multifaceted approach that includes supply side, demand side, insurance companies, consumer protection organisations, etc. etc. We need regulation with legal penalties - as exist for airlines, for example - for software firms that fail to meet minimal standards for quality - which must be defined to include security (using demonstrated linkages to existing legislation as a catalyst - i.e., non-secure software makes it impossible to be HIPPA, FISMA, SOX, PCI, etc. compliant). We need a system of evaluation (like Good Housekeeping seal of approval, but NOT like Common Criteria) for consumers to be able to easily determine which software meets the minimum standards for "goodness". We need the insurance firms that are now offering security and CIP related products to add software security criteria to their definitions, so that their customers who buy demonstrably secure software get breaks on their premiums, and those that willfully engage in risky behaviours - i.e., persisting in use of bad software - are penalised by higher premiums or, ultimately, having their coverage dropped. We need to educate end users as we did with seatbelts and cigarettes - a series of really good public service advertisements that clearly and engagingly depict what happens as a result of AVOIDABLE (by developers) security-related failings in software. With outlets like YouTube, the budget to broadcast such advertisements would be significantly smaller than it would have been when only the media outlets were big commercial networks. Just some ideas - no doubt some better than others. The real message is "Yes, we need to change consumer behaviour" - but that alone won't get us where we need to go. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Customer Demand
I think we need a multifaceted approach that includes supply side, demand side, insurance companies, consumer protection organisations, etc. etc. We need regulation with legal penalties - as exist for airlines, for example - for software firms that fail to meet minimal standards for quality - which must be defined to include security (using demonstrated linkages to existing legislation as a catalyst - i.e., non-secure software makes it impossible to be HIPPA, FISMA, SOX, PCI, etc. compliant). We need a system of evaluation (like Good Housekeeping seal of approval, but NOT like Common Criteria) for consumers to be able to easily determine which software meets the minimum standards for "goodness". We need the insurance firms that are now offering security and CIP related products to add software security criteria to their definitions, so that their customers who buy demonstrably secure software get breaks on their premiums, and those that willfully engage in risky behaviours - i.e., persisting in use of bad software - are penalised by higher premiums or, ultimately, having their coverage dropped. We need to educate end users as we did with seatbelts and cigarettes - a series of really good public service advertisements that clearly and engagingly depict what happens as a result of AVOIDABLE (by developers) security-related failings in software. With outlets like YouTube, the budget to broadcast such advertisements would be significantly smaller than it would have been when only the media outlets were big commercial networks. Just some ideas - no doubt some better than others. The real message is "Yes, we need to change consumer behaviour" - but that alone won't get us where we need to go. Karen Mercedes Goertzel, CISSP Associate 703.698.7454 goertzel_ka...@bah.com From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Brad Andrews [andr...@rbacomm.com] Sent: Friday, August 21, 2009 12:08 PM To: sc-l@securecoding.org Subject: [SC-L] Customer Demand While no customer is likely to say they don't care about software working now that we are past Y2K, they don't think about it at all and are unlikely to allow any schedule slippage to allow for making sure that is true. Customers only really care about the things they will pay for. Many companies claim they "can't stand" poor software or services, but they still pay for them, so they will keep getting them. Until we convince them that good security really is important and that they must demand and pay for it, we won't make the progress we want to make. How many companies wouldn't even be doing the PCI level of effort if they weren't forced to do so? How many strictly limit it to their "PCI environment" rather than looking at the risk to the whole enterprise? Even major breaches don't help since the "it can't happen here" attitude is common all over, in spite of the fact it is a risky stance. While part of this is just a cynical rant, I think the base point is that we have a whole lot more selling to do on the need for software security before we can properly place it throughout the curriculum. That sales job is hard. The fact a few people have "gotten it" doesn't mean most have or that we are completely ready for the next step. I realize many here may not be saying that, but that is the message I get stepping back. And I am a dreamer/visionary. I like to think well ahead of things, but focusing too much there makes us likely to continue to be a niche area, leaving lots of vulnerabilities. Wouldn't a better focus be on the customer demand end? Stirring that up will do more to advance secure development than any number of maturity models. Unfortunately, it is a much more difficult task. I would bet it is also not as conceptually interesting to many. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Martin Gilje Jaatun : > His stance on this > is that "if security were important to the customer, the customer would > provide and prioritize security requirements". To me, this is a bit like > saying "If the customer doesn't explicitly state that the software > should be Y2k-proof, he/she is not really bothered about it". ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org Li
[SC-L] Customer Demand
While no customer is likely to say they don't care about software working now that we are past Y2K, they don't think about it at all and are unlikely to allow any schedule slippage to allow for making sure that is true. Customers only really care about the things they will pay for. Many companies claim they "can't stand" poor software or services, but they still pay for them, so they will keep getting them. Until we convince them that good security really is important and that they must demand and pay for it, we won't make the progress we want to make. How many companies wouldn't even be doing the PCI level of effort if they weren't forced to do so? How many strictly limit it to their "PCI environment" rather than looking at the risk to the whole enterprise? Even major breaches don't help since the "it can't happen here" attitude is common all over, in spite of the fact it is a risky stance. While part of this is just a cynical rant, I think the base point is that we have a whole lot more selling to do on the need for software security before we can properly place it throughout the curriculum. That sales job is hard. The fact a few people have "gotten it" doesn't mean most have or that we are completely ready for the next step. I realize many here may not be saying that, but that is the message I get stepping back. And I am a dreamer/visionary. I like to think well ahead of things, but focusing too much there makes us likely to continue to be a niche area, leaving lots of vulnerabilities. Wouldn't a better focus be on the customer demand end? Stirring that up will do more to advance secure development than any number of maturity models. Unfortunately, it is a much more difficult task. I would bet it is also not as conceptually interesting to many. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Martin Gilje Jaatun : His stance on this is that "if security were important to the customer, the customer would provide and prioritize security requirements". To me, this is a bit like saying "If the customer doesn't explicitly state that the software should be Y2k-proof, he/she is not really bothered about it". ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___