[WEB SECURITY] Great article outlining a core issue with many in the security community

Paul Schmehl pschmehl_lists at tx.rr.com
Mon Feb 14 11:33:30 EST 2011

--On February 14, 2011 9:21:56 AM +0200 Ory Segal <SEGALORY at il.ibm.com> 

> What we do need to ask ourselves is - if nobody is prioritizing security
> as a critical software requirement - what are we doing wrong here???

This is a human nature issue.  You can't solve human nature issues with 

Most humans will choose the path of least resistance when confronted with 
decision paths.  Look how long it took to get safety features into 
automobiles.  Things we now take for granted (crush zones, air bags, safety 
belts) were considered extraneous at first, then luxuries, until the death 
toll rose to a level that people began demanding action.  Even now some 
people will opt not to use a seat belt even though the evidence for doing 
so is overwhelming and the cost of having them is built in to the product.

Software is no different.  It's a human endeavor.  Until the perceived cost 
of *not* having security built in exceeds some comfort level (and who knows 
what that might be?) not much will change.  There will be leaders and 
innovators who are out front working for change, and they will be able to 
sell their products to the security conscious buyers, but it will not be a 
commodity until enough "bad" happens to force the "good".

Telling someone there are security holes in their product doesn't mean they 
will fix them.  Until those holes incur a cost to them that *they* perceive 
is higher than the cost of fixing them, they're not going to fix them 
unless altruism comes into play.  It seldom does.

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

More information about the websecurity mailing list