[WEB SECURITY] Re: [Full-disclosure] comparing information security to other industries

Michael Zimmermann zim at vegaa.de
Sun Dec 24 07:54:47 EST 2006


Am Dienstag, den 19.12.2006, 12:16 -0800 schrieb KT:
> How do we compare to other industries like construction, engineering,
> finance? What I am trying to figure out is how mature we are and how
> long will it take for to get stable?


Mature? Are you kidding? Computer security ist still mainly only
changing pampers after each incident.

That's because the common systems (software/hardware/social) are not
built for security but for money or fame.


All other industries you have mentioned are having established
procedures, rules and laws how to build their products and verify
the quality. Computer industry hasn't.

Just imagine a construction company who sells their houses only 
to people who sign a legally binding contract, that they accept
the house "as it it", without any guaranty that it is possible to
live in it. If the house breaks down over you and your family
you are elegible to get the money back - and no more. If burglars
celebrate parties in the house while you are at the office,
because it is well known that the backdoor-keys are identical
in all houses of that construction company and key-duplicates 
can be found wherever you find two homeless people doing a chat,
you are told to buy a separate product called "SecuyKeys"
(which costs at least 20% of the original price for the house).

You are not allowed to take the wallpapers from the wall and 
look behind to see how the house is constructed and get sued 
when you publish these so called "vulnerabilities" (which are 
in effect only the results of incomplete, greedy and careless
construction-work)


Just because companies are making money with computer 
security doesn't make it into an "industry".

Why not answer two questions for yourself: 

a)
are the computer systems at large nowadays more secure than 
- say - ten years ago?
b)
how much more money is spent for computer security since then?


The answers point directly to the net effect of what you call
an "industry".


And we - the IT-people - are responseable.


Greetings
Michael



----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list