Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry

["Dennis Groves" <dennis.groves@xxxxxxxxx>]

While your logic is quite sound Gervase, and I honestly respect many
of the things that you have to say, I am not quite sure that I agree
with you even though what you say is logically correct. Additionally,
I respect Macus as well, and I think that his point is quite well
taken in context despite your demonstrated incorrectness.

I don't think that "disclose" or "not disclose" is a intellectually
honest way of framing the question, it reminds me of Bushes arguments
for the war "those who are not for us are against us"; pure rubbish.

I think that there is a third way (and many others), and that was the
original purpose in starting OWASP, and I am quite sure that is the
reason behind WASC as well. This "third" way is education. I am
strongly of the position that education of the developers of websites,
the end users who browse them and the management of the companies that
run them; of their roles in security lifecycle is the most effective
way of establishing the security process and improving the security
posture of organizations.

Clearly things will happen and if it happens to be the fault of a
vendor or not, and if they fix it or not will not do as much to
protect the vulnerable system as much as educated engineers whom are
capable of engineering a solution to correct, protect or mitigate the
risk in question. A great example of this was the other day when Amit
suggested a way to mitigate the risk of the PDF XSS issues! Well
before the finger of blame went out and people sit around waiting for
somebody to take responsibility to patch it; Amit and others like him
have engineered new ways to continue business as usual while
mitigating the risk. And I for one would like to see more people
capable of what Amit did because I think that this is the real
solution to the "security" problem.

"Disclosure" and "Non Disclosure" is a red herring. Better education
is a better solution.

Dennis Groves


On 1/10/07, Gervase Markham <gerv@xxxxxxxx> wrote:
> robert@xxxxxxxxxxxxx wrote:
> > "If the proponents of disclosure were right, their stated
> > objective browbeating the vendors into making their products
> > better would have been accomplished years ago. "
>
> That assertion can't stand unless we have two Earths, and we do
> different things on each and compare the results.
>
> We don't know whether security would suck even more without the
> disclosures than it does now.
>
> There are positives. Microsoft's position on the relative importance of
> security compared to things like usability, convenience and backwards
> compatibility has been transformed over the past five years. I'm sure
> one driver for this was the continued negative publicity surrounding the
> published holes in their products, and the exploitation of them
> (Slammer, anyone?).
>
> Gerv
>
> ----------------------------------------------------------------------------
> The Web Security Mailing List:
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


--
Dennis Groves
<a href="http://homepage.mac.com/dennisgr/FileSharing13.html";>vcard</a>

Be who you are and say what you feel,
because those who mind don't matter
and those who matter don't mind.
Theodor Geisel

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]