Security
-
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
That doesn't appear to have anything to do with your original post.
-
I'm guessing because 75% of products don't require any kind of security or security process. Tell me why a word processor, video editor, sound editor, photo... would require it? You can't take a generalized study and apply it accurately to general software development. Its like saying that 75% of software doesn't employ the use of databases. Maybe 75% of them didn't need it...
Also, from the domino effect: all of the dominos are hidden behind that first domino. As long as that one never tips over, the rest will stay standing. Hardening all of the dominos seems wasteful. Everyone focuses on hardening that first domino. It can be hard to justify the additional effort/expense. Especially when there is lower-hanging fruit.
-
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
If the software in question is something that could have those kinds of holes (web browsers or operating systems for example) then yes, the developer has the responsibility to secure the computer. However I'm guessing that a good portion of software such as I listed even if it has those holes will not be the target of such attacks. From a business standpoint it comes down to effort vs benefit. If I'm making a piece of software that is a video editor then I'm not going to spend a lot of time with security code. The decision on that would come down to profit margin, and my users will report the security holes for me. Yes this sounds horrible from an ethics standpoint. I'm still guessing that a vast majority of software isn't the target of such attacks nor does it need to have the effort placed in them to avoid it, at least until the product gains popularity. A lot of software projects start off small and I think thats where a majority of non-security developers exist. Getting a product to market is the goal of any software company, anything that impedes that path must be avoided until necessary.
-
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
Also, along those lines, think about this: Do you know why Apple and Linux toted themselves as the most virus free/secure operating systems? It certainly wasn't because they didn't have security holes (huge ones even)[^]. It wasn't because they had the best antivirus software. It was soley because attackers thought that they weren't worth the time to hack or attack. Bigger products with bigger user bases were out there and those are the targets. Small time software isn't going to be hacked or exploited, especially software gotten through legitimate sources. If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I guess most software don't need to be safe and a lot of people just don't care or don't understand. Also maybe it is because it costs money, time and effort to develop a secure application and quick return on investment means that a lot of managers won't bother with it.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
Tripping up with that subject and username looks awfully like you're about to start touting for business.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.
-
Tripping up with that subject and username looks awfully like you're about to start touting for business.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
-
Also, along those lines, think about this: Do you know why Apple and Linux toted themselves as the most virus free/secure operating systems? It certainly wasn't because they didn't have security holes (huge ones even)[^]. It wasn't because they had the best antivirus software. It was soley because attackers thought that they weren't worth the time to hack or attack. Bigger products with bigger user bases were out there and those are the targets. Small time software isn't going to be hacked or exploited, especially software gotten through legitimate sources. If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
Ron Beyer wrote:
If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
- I agree 100% However, if I wrote a piece of malware that exploited a security hole in your software to hijack your customer's computer. That is your fault.
-
Ron Beyer wrote:
If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
- I agree 100% However, if I wrote a piece of malware that exploited a security hole in your software to hijack your customer's computer. That is your fault.
I disagree, you wrote the malware, its your fault, and if it ever got to it, a court of law would side with me. If I leave a loaded gun on the table, its not my fault you shoot somebody with it. [edit] Yes I would be negligent for leaving it there, but you would be guilty of the crime[/edit] But here's the bigger question, are you going to spend your time writing a security exploit for XYZ Inc's Video Gadget, or Microsoft Movie Maker? Which do you think will get you further in your goal of taking over the world? I'm guessing its not Video Gadget... And because of Video Gadget's small user base, I'm guessing they can have a fix out for a reported exploit faster than Movie Maker, so there is no incentive for me as XYZ Inc's product manager to dedicate resources to pre-release holes when software doesn't make money sitting in the IDE.
-
LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.
Most of our security is focused on stopping people getting in to the network (we write software for companies we own, not for sale). Many systems have data that is not dangerous should someone get it, or of no use to anyone else. We did get consultants in to advise when we started on customer facing or account based stuff. Many things I have worked on have simply authenticated against the domain logon. Databases do not require logons, and in some cases stored on user devices in flat files, again all the security done at device level - if you can get on the machine you get access. Some of us developers consider security, but I'm not sure managers fully understand. Essentially though as someone else said it comes down to cost against benefit.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I would say that 99% of my software doesn't have much security in it, since it is mostly desktop apps. In fact, I'm not sure what sort of security would be needed. If a customer leaves their desktop wide open, that's not my problem and I'm not sure I should even consider adding layers of security to flummox the users to check for that problem. Without reading the MS info, methinks that saying only 20% employ any sort of security is comparing a fraction to the whole.
CQ de W5ALT
Walt Fair, Jr., P. E. Comport Computing Specializing in Technical Engineering Software
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
The vast majority of what I write is intended for back office use only, with pre-screened and already trusted users: If security is an issue, I add five lines of code to invoke a well tested and secure (as such things go) centralized login that links a network user name and password to an application. On our website, we have another well tested library that is used to securely transfer data in a variety of ways (in Session, as a cookie, or even in the URL.) In short, why reinvent the wheel with every application? We don't write external apps, and our internal security is easily centralized.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
According to my manager, security is not an issue...until it becomes an issue. Then we'll fix it.
-NP Never underestimate the creativity of the end-user.
That's absolutely awesome...typical, but awesome.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
Ever hear the phrase "when all you have is a hammer, everything looks like a nail"? I apologize and no offense to the OP, but I'm guessing that this post is along that line.
That's not really it at all. I fully understand, that not all software requires some form of security. But that should simply not negate the thought or the process. It's a balancing act, between cost, usability, performance, resources. Nobody has just 1 security hole in their system. IF folks take the attitude, oh it's not our problem, we rely on something else, our software doesn't need it, we're not big enough to get hacked their isn't enough motivation. It just screams of naivety. It's an attitude that needs to change, especially, as more apps move away from the desktop, to the cloud, or onto mobile devices. Or employees bring in, usb drives, download e-mail attachments at work.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
That's not really it at all. I fully understand, that not all software requires some form of security. But that should simply not negate the thought or the process. It's a balancing act, between cost, usability, performance, resources. Nobody has just 1 security hole in their system. IF folks take the attitude, oh it's not our problem, we rely on something else, our software doesn't need it, we're not big enough to get hacked their isn't enough motivation. It just screams of naivety. It's an attitude that needs to change, especially, as more apps move away from the desktop, to the cloud, or onto mobile devices. Or employees bring in, usb drives, download e-mail attachments at work.
Quote:
Or employees bring in, usb drives, download e-mail attachments at work.
Sounds like a computer use policy to me, easily fixed by editing the security policies on the computer. Not saying software should be a "its not our problem", and definitely shouldn't be something that they purposely leave gaping, but on the other hand the developer shouldn't focus on security issues, when a company or product line gets big enough they hire people like you to help. Until that point comes a developer should focus on usability and stability (while not being downright stupid with security), and let the rest sort itself out. I'm not naive about the software I release. I know what the security flaws are, but I know that the chances of them getting exploited is like .0001% of my total shipped software. That means I should not dedicate more than .0002% of my time fixing or avoiding that software hole. Microsoft and big companies take the same road and for good reason. They know when they release software that it has security holes. They know what (most of) the holes are, but the big holes are plugged and the little ones get taken care of as the USER prioritizes. The only way to do that is to rely on user reports. Developers have a sense of perfection when it comes to code and that's poor business practice unfortunately. Its up to managers to decide how "perfect" code has to be before they put it in the revenue stream. Good managers realize this, that its not perfect despite the developer and get it out there anyway. This pisses developers off (we are all infallible perfectionists), but it keeps them in the job.
-
According to my manager, security is not an issue...until it becomes an issue. Then we'll fix it.
-NP Never underestimate the creativity of the end-user.