Security
-
That's only partially true. If you write a generic application that has security holes. are you not responsible? Take one of these 75% (Generic applications, which I don't believe is the case). Now suppose you have a security hole that allows an attacker to download, malware or a bot an make your user's computer part of botnet. Does the publisher of that 75% not bare some responsibility? You shouldn't be writing software that is full of security holes an attacker might use.
Also, along those lines, think about this: Do you know why Apple and Linux toted themselves as the most virus free/secure operating systems? It certainly wasn't because they didn't have security holes (huge ones even)[^]. It wasn't because they had the best antivirus software. It was soley because attackers thought that they weren't worth the time to hack or attack. Bigger products with bigger user bases were out there and those are the targets. Small time software isn't going to be hacked or exploited, especially software gotten through legitimate sources. If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I guess most software don't need to be safe and a lot of people just don't care or don't understand. Also maybe it is because it costs money, time and effort to develop a secure application and quick return on investment means that a lot of managers won't bother with it.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
Tripping up with that subject and username looks awfully like you're about to start touting for business.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.
-
Tripping up with that subject and username looks awfully like you're about to start touting for business.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
-
Also, along those lines, think about this: Do you know why Apple and Linux toted themselves as the most virus free/secure operating systems? It certainly wasn't because they didn't have security holes (huge ones even)[^]. It wasn't because they had the best antivirus software. It was soley because attackers thought that they weren't worth the time to hack or attack. Bigger products with bigger user bases were out there and those are the targets. Small time software isn't going to be hacked or exploited, especially software gotten through legitimate sources. If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
Ron Beyer wrote:
If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
- I agree 100% However, if I wrote a piece of malware that exploited a security hole in your software to hijack your customer's computer. That is your fault.
-
Ron Beyer wrote:
If my "customer" got a product through bit-torrent that had a trojan horse embedded in it, then I'm not going to work to fix it, they illegally stole my product and they got what they deserved.
- I agree 100% However, if I wrote a piece of malware that exploited a security hole in your software to hijack your customer's computer. That is your fault.
I disagree, you wrote the malware, its your fault, and if it ever got to it, a court of law would side with me. If I leave a loaded gun on the table, its not my fault you shoot somebody with it. [edit] Yes I would be negligent for leaving it there, but you would be guilty of the crime[/edit] But here's the bigger question, are you going to spend your time writing a security exploit for XYZ Inc's Video Gadget, or Microsoft Movie Maker? Which do you think will get you further in your goal of taking over the world? I'm guessing its not Video Gadget... And because of Video Gadget's small user base, I'm guessing they can have a fix out for a reported exploit faster than Movie Maker, so there is no incentive for me as XYZ Inc's product manager to dedicate resources to pre-release holes when software doesn't make money sitting in the IDE.
-
LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.
Most of our security is focused on stopping people getting in to the network (we write software for companies we own, not for sale). Many systems have data that is not dangerous should someone get it, or of no use to anyone else. We did get consultants in to advise when we started on customer facing or account based stuff. Many things I have worked on have simply authenticated against the domain logon. Databases do not require logons, and in some cases stored on user devices in flat files, again all the security done at device level - if you can get on the machine you get access. Some of us developers consider security, but I'm not sure managers fully understand. Essentially though as someone else said it comes down to cost against benefit.
“I believe that there is an equality to all humanity. We all suck.” Bill Hicks
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
I would say that 99% of my software doesn't have much security in it, since it is mostly desktop apps. In fact, I'm not sure what sort of security would be needed. If a customer leaves their desktop wide open, that's not my problem and I'm not sure I should even consider adding layers of security to flummox the users to check for that problem. Without reading the MS info, methinks that saying only 20% employ any sort of security is comparing a fraction to the whole.
CQ de W5ALT
Walt Fair, Jr., P. E. Comport Computing Specializing in Technical Engineering Software
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
The vast majority of what I write is intended for back office use only, with pre-screened and already trusted users: If security is an issue, I add five lines of code to invoke a well tested and secure (as such things go) centralized login that links a network user name and password to an application. On our website, we have another well tested library that is used to securely transfer data in a variety of ways (in Session, as a cookie, or even in the URL.) In short, why reinvent the wheel with every application? We don't write external apps, and our internal security is easily centralized.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
According to my manager, security is not an issue...until it becomes an issue. Then we'll fix it.
-NP Never underestimate the creativity of the end-user.
That's absolutely awesome...typical, but awesome.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
Ever hear the phrase "when all you have is a hammer, everything looks like a nail"? I apologize and no offense to the OP, but I'm guessing that this post is along that line.
That's not really it at all. I fully understand, that not all software requires some form of security. But that should simply not negate the thought or the process. It's a balancing act, between cost, usability, performance, resources. Nobody has just 1 security hole in their system. IF folks take the attitude, oh it's not our problem, we rely on something else, our software doesn't need it, we're not big enough to get hacked their isn't enough motivation. It just screams of naivety. It's an attitude that needs to change, especially, as more apps move away from the desktop, to the cloud, or onto mobile devices. Or employees bring in, usb drives, download e-mail attachments at work.
-
Microsoft recently released a study in which they stated that only 20% of software developers/engineers employed any form of security or security process within their applications or code. I am interested to know as a security engineer why that is? I've written a lot of crappy insecure code, that could quite potentially cost previous employers a lot of money. However they too were not that interested in security. isn't it time we get serious about security? Why do we not take it seriously?
-
That's not really it at all. I fully understand, that not all software requires some form of security. But that should simply not negate the thought or the process. It's a balancing act, between cost, usability, performance, resources. Nobody has just 1 security hole in their system. IF folks take the attitude, oh it's not our problem, we rely on something else, our software doesn't need it, we're not big enough to get hacked their isn't enough motivation. It just screams of naivety. It's an attitude that needs to change, especially, as more apps move away from the desktop, to the cloud, or onto mobile devices. Or employees bring in, usb drives, download e-mail attachments at work.
Quote:
Or employees bring in, usb drives, download e-mail attachments at work.
Sounds like a computer use policy to me, easily fixed by editing the security policies on the computer. Not saying software should be a "its not our problem", and definitely shouldn't be something that they purposely leave gaping, but on the other hand the developer shouldn't focus on security issues, when a company or product line gets big enough they hire people like you to help. Until that point comes a developer should focus on usability and stability (while not being downright stupid with security), and let the rest sort itself out. I'm not naive about the software I release. I know what the security flaws are, but I know that the chances of them getting exploited is like .0001% of my total shipped software. That means I should not dedicate more than .0002% of my time fixing or avoiding that software hole. Microsoft and big companies take the same road and for good reason. They know when they release software that it has security holes. They know what (most of) the holes are, but the big holes are plugged and the little ones get taken care of as the USER prioritizes. The only way to do that is to rely on user reports. Developers have a sense of perfection when it comes to code and that's poor business practice unfortunately. Its up to managers to decide how "perfect" code has to be before they put it in the revenue stream. Good managers realize this, that its not perfect despite the developer and get it out there anyway. This pisses developers off (we are all infallible perfectionists), but it keeps them in the job.
-
According to my manager, security is not an issue...until it becomes an issue. Then we'll fix it.
-NP Never underestimate the creativity of the end-user.
-
I think what the OP is talking about and what you are talking about are two different topics. App licensing isn't really security. You should probably start your own topic in an appropriate programming forum to ask this.
-
Quote:
Or employees bring in, usb drives, download e-mail attachments at work.
Sounds like a computer use policy to me, easily fixed by editing the security policies on the computer. Not saying software should be a "its not our problem", and definitely shouldn't be something that they purposely leave gaping, but on the other hand the developer shouldn't focus on security issues, when a company or product line gets big enough they hire people like you to help. Until that point comes a developer should focus on usability and stability (while not being downright stupid with security), and let the rest sort itself out. I'm not naive about the software I release. I know what the security flaws are, but I know that the chances of them getting exploited is like .0001% of my total shipped software. That means I should not dedicate more than .0002% of my time fixing or avoiding that software hole. Microsoft and big companies take the same road and for good reason. They know when they release software that it has security holes. They know what (most of) the holes are, but the big holes are plugged and the little ones get taken care of as the USER prioritizes. The only way to do that is to rely on user reports. Developers have a sense of perfection when it comes to code and that's poor business practice unfortunately. Its up to managers to decide how "perfect" code has to be before they put it in the revenue stream. Good managers realize this, that its not perfect despite the developer and get it out there anyway. This pisses developers off (we are all infallible perfectionists), but it keeps them in the job.
Ron Beyer wrote:
Sounds like a computer use policy to me, easily fixed by editing the security policies on the computer.
Absolutely it's a computer policy use issue, however, the point was/is. How many companies really enforce, have proper policies in place? With the prevalence of BYOD. employees accessing private E-mail, my point was simply was/is developers shouldn't entirely leave the decision up to Network OPS, or IT to enforce security behind, firewalls. a BYOD or an E-mail could exploit a security hole in your "internal" application to make it's data external pretty quickly. I am still very much a developer as much as a security person today, I just develop security centric solutions to help the rest of the development team.
Ron Beyer wrote:
Microsoft and big companies take the same road and for good reason
Not really, perhaps that's what Microsoft used to do, however they've drastically changed their practices.
-
LOL. No I have a good job, that pays well. I am just a security evangelist and believe to many software developers/engineer don't take security seriously and don't think about security, nor do their manages and companies.
CdnSecurityEngineer wrote:
I am just a security evangelist
Oh boy. :rolleyes: Don't get me wrong. Security is important, but to me that statement reeks of troll-speak. Soren Madsen
"When you don't know what you're doing it's best to do it quickly" - Jase #DuckDynasty