Security
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I'm guessing because 75% of products don't require any kind of security or security process. Tell me why a word processor, video editor, sound editor, photo... would require it? You can't take a generalized study and apply it accurately to general software development. Its like saying that 75% of software doesn't employ the use of databases. Maybe 75% of them didn't need it...
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I will appreciate any advice here: I am about to release a new app and I would like to know the appropriate level of securing an inexpensive commercial app properly with an Activation Code. Do you reckon using a simple
SecureString
class to secure the code will be sufficient, or perhaps overkill? I will appreciate any thoughts on the issue.
-
I'm guessing because 75% of products don't require any kind of security or security process. Tell me why a word processor, video editor, sound editor, photo... would require it? You can't take a generalized study and apply it accurately to general software development. Its like saying that 75% of software doesn't employ the use of databases. Maybe 75% of them didn't need it...
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
-
I will appreciate any advice here: I am about to release a new app and I would like to know the appropriate level of securing an inexpensive commercial app properly with an Activation Code. Do you reckon using a simple
SecureString
class to secure the code will be sufficient, or perhaps overkill? I will appreciate any thoughts on the issue.
-
I will appreciate any advice here: I am about to release a new app and I would like to know the appropriate level of securing an inexpensive commercial app properly with an Activation Code. Do you reckon using a simple
SecureString
class to secure the code will be sufficient, or perhaps overkill? I will appreciate any thoughts on the issue.
Cornelius, why don't you post a question in the questions. Or get in touch with me Here and I'll be happy to help you out.
-
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
That doesn't appear to have anything to do with your original post.
-
I'm guessing because 75% of products don't require any kind of security or security process. Tell me why a word processor, video editor, sound editor, photo... would require it? You can't take a generalized study and apply it accurately to general software development. Its like saying that 75% of software doesn't employ the use of databases. Maybe 75% of them didn't need it...
Also, from the domino effect: all of the dominos are hidden behind that first domino. As long as that one never tips over, the rest will stay standing. Hardening all of the dominos seems wasteful. Everyone focuses on hardening that first domino. It can be hard to justify the additional effort/expense. Especially when there is lower-hanging fruit.
-
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
If the software in question is something that could have those kinds of holes (web browsers or operating systems for example) then yes, the developer has the responsibility to secure the computer. However I'm guessing that a good portion of software such as I listed even if it has those holes will not be the target of such attacks. From a business standpoint it comes down to effort vs benefit. If I'm making a piece of software that is a video editor then I'm not going to spend a lot of time with security code. The decision on that would come down to profit margin, and my users will report the security holes for me. Yes this sounds horrible from an ethics standpoint. I'm still guessing that a vast majority of software isn't the target of such attacks nor does it need to have the effort placed in them to avoid it, at least until the product gains popularity. A lot of software projects start off small and I think thats where a majority of non-security developers exist. Getting a product to market is the goal of any software company, anything that impedes that path must be avoided until necessary.
-
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
Also, along those lines, think about this: Do you know why Apple and Linux toted themselves as the most virus free/secure operating systems? It certainly wasn't because they didn't have security holes (huge ones even)[^]. It wasn't because they had the best antivirus software. It was soley because attackers thought that they weren't worth the time to hack or attack. Bigger products with bigger user bases were out there and those are the targets. Small time software isn't going to be hacked or exploited, especially software gotten through legitimate sources. If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I guess most software don't need to be safe and a lot of people just don't care or don't understand. Also maybe it is because it costs money, time and effort to develop a secure application and quick return on investment means that a lot of managers won't bother with it.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
Tripping up with that subject and username looks awfully like you're about to start touting for business.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.
-
Tripping up with that subject and username looks awfully like you're about to start touting for business.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
-
Also, along those lines, think about this: Do you know why Apple and Linux toted themselves as the most virus free/secure operating systems? It certainly wasn't because they didn't have security holes (huge ones even)[^]. It wasn't because they had the best antivirus software. It was soley because attackers thought that they weren't worth the time to hack or attack. Bigger products with bigger user bases were out there and those are the targets. Small time software isn't going to be hacked or exploited, especially software gotten through legitimate sources. If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
Ron Beyer wrote:
If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
- I agree 100% However, if I wrote a piece of malware that exploited a security hole in your software to hijack your customer's computer. That is your fault.
-
Ron Beyer wrote:
If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
- I agree 100% However, if I wrote a piece of malware that exploited a security hole in your software to hijack your customer's computer. That is your fault.
I disagree, you wrote the malware, its your fault, and if it ever got to it, a court of law would side with me. If I leave a loaded gun on the table, its not my fault you shoot somebody with it. [edit] Yes I would be negligent for leaving it there, but you would be guilty of the crime[/edit] But here's the bigger question, are you going to spend your time writing a security exploit for XYZ Inc's Video Gadget, or Microsoft Movie Maker? Which do you think will get you further in your goal of taking over the world? I'm guessing its not Video Gadget... And because of Video Gadget's small user base, I'm guessing they can have a fix out for a reported exploit faster than Movie Maker, so there is no incentive for me as XYZ Inc's product manager to dedicate resources to pre-release holes when software doesn't make money sitting in the IDE.
-
LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.
Most of our security is focused on stopping people getting in to the network (we write software for companies we own, not for sale). Many systems have data that is not dangerous should someone get it, or of no use to anyone else. We did get consultants in to advise when we started on customer facing or account based stuff. Many things I have worked on have simply authenticated against the domain logon. Databases do not require logons, and in some cases stored on user devices in flat files, again all the security done at device level - if you can get on the machine you get access. Some of us developers consider security, but I'm not sure managers fully understand. Essentially though as someone else said it comes down to cost against benefit.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I would say that 99% of my software doesn't have much security in it, since it is mostly desktop apps. In fact, I'm not sure what sort of security would be needed. If a customer leaves their desktop wide open, that's not my problem and I'm not sure I should even consider adding layers of security to flummox the users to check for that problem. Without reading the MS info, methinks that saying only 20% employ any sort of security is comparing a fraction to the whole.
CQ de W5ALT
Walt Fair, Jr., P. E. Comport Computing Specializing in Technical Engineering Software
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
The vast majority of what I write is intended for back office use only, with pre-screened and already trusted users: If security is an issue, I add five lines of code to invoke a well tested and secure (as such things go) centralized login that links a network user name and password to an application. On our website, we have another well tested library that is used to securely transfer data in a variety of ways (in Session, as a cookie, or even in the URL.) In short, why reinvent the wheel with every application? We don't write external apps, and our internal security is easily centralized.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?