[WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
dennis.groves at gmail.com
Thu Jan 11 13:22:05 EST 2007
Wow! What an honor - Pete Herzog! I love your project.
On 1/11/07, Pete Herzog <lists at isecom.org> wrote:
> > "Disclosure" and "Non Disclosure" is a red herring. Better education
> > is a better solution.
> Better education? How about just the truth for everyone- not just the
> developers. I think that's the direction full disclosure should be going in.
While I will not sit here and defend those who would choose to lie, I
think that it is really cynical to say that all security issues are
the result of lies? On a macro level "truth" is quite subjective.
I am certain that *many* web applications are not the result of
deliberate lies, Jeremiah and I worked many an account over seas where
the desire to correct the problem was more important than the finger
of blame and covering up the issue. In fact it was shockingly
different that here in the US where this is the "standard" business
practice, (also a very cynical view) they were happy to take full
resposibility, and were happy as a group that the security posture was
improved over all.
Pete, how many businesses start the implimentation of their idea with
a copy of OSSTMM (a very fine example of education in my opinion)? I
would wager that until this happens we still have way more ignorance
than malice at the root of most security issues.
> The problem is users expecting security in products that have not been
> designed for security. He can argue that users don't want security but
> they do want quality or at least for something to work as designed. Then
> when something breaks they also want someone to blame. This is not the
> fault of full disclosure. This is a common issue of the customer wanting
> it all for a low low price. The fault here is marketing and greed. Where
> as we know that the OS like Microsoft's and many of the Linuxes are not
> designed to be used on "hostile networks" they still are. That's like
> those people who put their frozen dinners in the oven still in the
> cardboard box and then sue the company when the house burns down. Now all
> frozen meals state clearly "Remove from Box". Do we need to do the same
> thing on the OS? I'd like to but I can assure you that it's not going to
> happen and that's not because the general population doesn't need it. It's
> a marketing decision.
Be who you are and say what you feel,
because those who mind don't matter
and those who matter don't mind.
The Web Security Mailing List:
The Web Security Mailing List Archives:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
More information about the websecurity