Comments on: Free Security http://isisblogs.poly.edu/2007/02/11/free-security/ Information Systems and Internet Security Thu, 28 Aug 2008 09:33:53 +0000 http://wordpress.org/?v=2.6.1 By: Michael Daniluk http://isisblogs.poly.edu/2007/02/11/free-security/#comment-14 Michael Daniluk Thu, 15 Feb 2007 02:31:54 +0000 http://isisblogs.poly.edu/2007/02/11/free-security/#comment-14 I think I lean towards the direction Dan alluded to. More responsibility should be placed on developers. I think the best way to achieve a software product with a high level of security is via the concurrence of development and penetration testing. The people who build the system should do their best to try to break the system, fixing all vulnerabilities found before the product is shipped. I think this should happen at ALL stages of the life cycle. There are several clear benefits to this approach: 1. It allows us to make all kinds of Taoist statements about creation and destruction occurring simultaneously, and we all know how much security professionals love Yin Yang symbols. 2. Nobody has more knowledge of the system than its builders, therefore they will be able to deduce the highest number of attack vectors and expose the most vulnerabilities. 3. After time, secure coding practices will be habituated by developers, because they know if something is weak they will HAVE TO fix it. 4. Less Patches. 5. More Secure Patches. But the question is, how do you enforce this kind of self discipline? Also a thought on Yan's statement: "they don’t care to how their car works or how to keep it working since they can always get it fixed." The difference is, people need a license to use a car or other types of potentially harmful technologies. If people knew 25 years ago what they know now, would we all be carrying PC licenses? I think I lean towards the direction Dan alluded to. More responsibility should be placed on developers. I think the best way to achieve a software product with a high level of security is via the concurrence of development and penetration testing. The people who build the system should do their best to try to break the system, fixing all vulnerabilities found before the product is shipped. I think this should happen at ALL stages of the life cycle. There are several clear benefits to this approach:

1. It allows us to make all kinds of Taoist statements about creation and destruction occurring simultaneously, and we all know how much security professionals love Yin Yang symbols.
2. Nobody has more knowledge of the system than its builders, therefore they will be able to deduce the highest number of attack vectors and expose the most vulnerabilities.
3. After time, secure coding practices will be habituated by developers, because they know if something is weak they will HAVE TO fix it.
4. Less Patches.
5. More Secure Patches.

But the question is, how do you enforce this kind of self discipline?

Also a thought on Yan’s statement: “they don’t care to how their car works or how to keep it working since they can always get it fixed.” The difference is, people need a license to use a car or other types of potentially harmful technologies. If people knew 25 years ago what they know now, would we all be carrying PC licenses?

]]> By: Brad Schonhorst http://isisblogs.poly.edu/2007/02/11/free-security/#comment-10 Brad Schonhorst Mon, 12 Feb 2007 03:01:19 +0000 http://isisblogs.poly.edu/2007/02/11/free-security/#comment-10 I think as long as people are willing to pay big money for buggy software, there will continue to be poor software produced. I really hope that the next generation of security engineers can have a positive influence on the current state of software development but until security incidents begin to translate to money lost by the developer, I fear deadlines will win top priority over a quality product. I think as long as people are willing to pay big money for buggy software, there will continue to be poor software produced. I really hope that the next generation of security engineers can have a positive influence on the current state of software development but until security incidents begin to translate to money lost by the developer, I fear deadlines will win top priority over a quality product.

]]> By: Dan Guido http://isisblogs.poly.edu/2007/02/11/free-security/#comment-9 Dan Guido Sun, 11 Feb 2007 07:15:25 +0000 http://isisblogs.poly.edu/2007/02/11/free-security/#comment-9 I don't know if everyone agrees, but I think that part of our job as security engineers is to build products that don't easily fall into an insecure state. People shouldn't have to think about "using a computer securely" and I think this entire argument isn't placing the blame where it lies... I don’t know if everyone agrees, but I think that part of our job as security engineers is to build products that don’t easily fall into an insecure state. People shouldn’t have to think about “using a computer securely” and I think this entire argument isn’t placing the blame where it lies…

]]> By: Yan Ivnitskiy http://isisblogs.poly.edu/2007/02/11/free-security/#comment-8 Yan Ivnitskiy Sun, 11 Feb 2007 04:32:21 +0000 http://isisblogs.poly.edu/2007/02/11/free-security/#comment-8 To answer the first half of your post, I believe selling a product or a buzzword is a lot better marketing than selling education. "We will make you secure. Period. We take cash, check or money order" works a lot better than "We will teach you proper practices and help you make better decisions". People don't want to follow practices or be taught proper maintenance, similarly to how they don't care to how their car works or how to keep it working since they can always get it fixed. We, as hacke^H^H^H^H^Hsecurity professionals will always be in need just as jails and prisons will always have occupants since "if everyone just stopped committing crimes" is not reasonable. No matter how secure the kernel, or how tested software is, there will always be vulnerabilities between the display and the chair. Not to mention companies love throwing their money at security-related contractors as that is just good PR. To answer the first half of your post, I believe selling a product or a buzzword is a lot better marketing than selling education. “We will make you secure. Period. We take cash, check or money order” works a lot better than “We will teach you proper practices and help you make better decisions”. People don’t want to follow practices or be taught proper maintenance, similarly to how they don’t care to how their car works or how to keep it working since they can always get it fixed.

We, as hacke^H^H^H^H^Hsecurity professionals will always be in need just as jails and prisons will always have occupants since “if everyone just stopped committing crimes” is not reasonable. No matter how secure the kernel, or how tested software is, there will always be vulnerabilities between the display and the chair. Not to mention companies love throwing their money at security-related contractors as that is just good PR.

]]>