[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
- From: "Dennis Groves" <dennis.groves@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] A Different CSOonline Article calling out the BS in the security industry
- Date: Thu, 11 Jan 2007 11:22:05 -0700
Wow! What an honor - Pete Herzog! I love your project.
On 1/11/07, Pete Herzog <lists@xxxxxxxxxx> wrote:
> "Disclosure" and "Non Disclosure" is a red herring. Better education
> is a better solution.
Better education? How about just the truth for everyone- not just the
developers. I think that's the direction full disclosure should be going in.
While I will not sit here and defend those who would choose to lie, I
think that it is really cynical to say that all security issues are
the result of lies? On a macro level "truth" is quite subjective.
I am certain that *many* web applications are not the result of
deliberate lies, Jeremiah and I worked many an account over seas where
the desire to correct the problem was more important than the finger
of blame and covering up the issue. In fact it was shockingly
different that here in the US where this is the "standard" business
practice, (also a very cynical view) they were happy to take full
resposibility, and were happy as a group that the security posture was
improved over all.
Pete, how many businesses start the implimentation of their idea with
a copy of OSSTMM (a very fine example of education in my opinion)? I
would wager that until this happens we still have way more ignorance
than malice at the root of most security issues.
Dennis Groves
The problem is users expecting security in products that have not been
designed for security. He can argue that users don't want security but
they do want quality or at least for something to work as designed. Then
when something breaks they also want someone to blame. This is not the
fault of full disclosure. This is a common issue of the customer wanting
it all for a low low price. The fault here is marketing and greed. Where
as we know that the OS like Microsoft's and many of the Linuxes are not
designed to be used on "hostile networks" they still are. That's like
those people who put their frozen dinners in the oven still in the
cardboard box and then sue the company when the house burns down. Now all
frozen meals state clearly "Remove from Box". Do we need to do the same
thing on the OS? I'd like to but I can assure you that it's not going to
happen and that's not because the general population doesn't need it. It's
a marketing decision.
-pete.
www.isecom.org
--
Dennis Groves
<a href="http://homepage.mac.com/dennisgr/FileSharing13.html";>vcard</a>
Be who you are and say what you feel,
because those who mind don't matter
and those who matter don't mind.
Theodor Geisel
----------------------------------------------------------------------------
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Brought to you by http://www.webappsec.org
Search this site
|