[WEB SECURITY] Great article outlining a core issue with many in the security community
pschmehl_lists at tx.rr.com
Mon Feb 14 11:33:30 EST 2011
--On February 14, 2011 9:21:56 AM +0200 Ory Segal <SEGALORY at il.ibm.com>
> What we do need to ask ourselves is - if nobody is prioritizing security
> as a critical software requirement - what are we doing wrong here???
This is a human nature issue. You can't solve human nature issues with
Most humans will choose the path of least resistance when confronted with
decision paths. Look how long it took to get safety features into
automobiles. Things we now take for granted (crush zones, air bags, safety
belts) were considered extraneous at first, then luxuries, until the death
toll rose to a level that people began demanding action. Even now some
people will opt not to use a seat belt even though the evidence for doing
so is overwhelming and the cost of having them is built in to the product.
Software is no different. It's a human endeavor. Until the perceived cost
of *not* having security built in exceeds some comfort level (and who knows
what that might be?) not much will change. There will be leaders and
innovators who are out front working for change, and they will be able to
sell their products to the security conscious buyers, but it will not be a
commodity until enough "bad" happens to force the "good".
Telling someone there are security holes in their product doesn't mean they
will fix them. Until those holes incur a cost to them that *they* perceive
is higher than the cost of fixing them, they're not going to fix them
unless altruism comes into play. It seldom does.
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
More information about the websecurity