Forgot your password?
typodupeerror
Security IT

The Security Industry Is Failing Miserably At Fixing Underlying Dangers 205

Posted by Soulskill
from the closing-the-barn-door dept.
cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.
This discussion has been archived. No new comments can be posted.

The Security Industry Is Failing Miserably At Fixing Underlying Dangers

Comments Filter:
  • TL;DR version (Score:2, Insightful)

    by Anonymous Coward on Wednesday June 25, 2014 @04:23PM (#47318377)

    "We have no consequences for sloppy design and we don't hold organizations accountable for bad things."

  • by swb (14022) on Wednesday June 25, 2014 @04:29PM (#47318413)

    But there sure is a lot of money in selling threat paranoia.

    Plus software vendors are apparently immune from product liability, so they never bear any costs for defects that lead to poor security or for implementing security poorly. If they had liability for this I think you'd see a lot fewer security defects, but probably a lot fewer features as well.

  • by Sleeping Kirby (919817) on Wednesday June 25, 2014 @04:33PM (#47318463)
    I do have a to agree in that the current development style/strategy (agile development) is less geared towards solid development and more on features and getting stuff out there. I think the article is just saying that they should do less of pushing out features and new things and more on good programming/fix known bugs. Of course putting out a bugless program is near impossible, but there's a difference in better prevention versus better clean-up.
  • by gbjbaanb (229885) on Wednesday June 25, 2014 @04:41PM (#47318541)

    its a n underrated point - why don't software engineers have to make products as reliable and good as more expensive engineering projects... and I think the clue in is that question.

    Why can't a software engineer make something that is as reliable as a bridge? Because a bridge costs a flipping fortune and can't really be reworked after implementation, so there's a huge incentive to get the entire team together to get it right. And that means the people who really make the bridge are the architects and project managers. In software terms, we have few architects and they're usually crap ex-developers who think they know it all, and project managers who are incompetents who think it was a job they can hide their lack of skill in. Meanwhile you have a load of developers who think they are the only ones who can do the job.

    A really good software project would require a technical architect who really understood what was happening and how things worked, and a project manager who understood timescales based on experience and managing the project deliveries and organisation.

    It would also require a project based on old technologies - no-one really has time to get to grips with something like 'real' engineers have to do because the platform they stand on gets whipped out from under them all the damn time - which is also a problem as the idiots who don't know a thing use this as an excuse to hide their lack of talent too (how many times have you heard that someone wants to rewrite in cool new technology almost for the sake of it - you can guarantee its because they can't hack doing the boring work maintaining or improving the old stuff, a lack of skill they'd still have if they did get to rewrite - no rewrite ever is any good, its almost always an even worse PoS).

    So all in all, there's a huge lack of professionalism in software caused by a lot of factors but I think the biggest one is the real lack of earned experience. We don't allow the good stuff to be built upon, we throw it away and start again with something else. We throw the good staff away and say they're not keeping up with technology. We hire kids because they have some buzzword on their CV.

    Anyway, we don't hold software engineers to the same high standards because we refuse to accept old, working stuff. We only want cheap new shiny crap. Its no wonder the software world has turned out like it has.

  • by johnnys (592333) on Wednesday June 25, 2014 @05:06PM (#47318755)

    The "Security Industry" makes money for the shareholders selling "stuff". Any time they see a problem, they will treat it as an opportunity to sell more stuff, since that is how they make money. If the problem is because the customer has already bought too much stuff, they will still try to sell the customer more stuff since THAT IS WHAT THEY DO.

    So if you want to be secure, what do you do? We all know: You get rid of crappy software, simplify your systems, remove unnecessary cruft and hire developers, network systems people and architects who can build you what you need securely. You do NOT hire the cheapest meat puppets who can find the company website and spell "javascript" and you don't outsource your security to the lowest bidder.

    This requires real effort on the part of the company paying for all this: They need to recognize that the "Security Industry" and their shiny, happy sales droids are just parasites ripping off the public with the "latest and greatest security stuff that will really protect you this time I promise not like all the other times, I really really mean it THIS time!".

    They really need to understand that the RIGHT way to GET Security is to design it in, have the right people building and managing it and proper oversight over all of it. To do that you have to treat it as a profession and a core part of what the company does, not as a "service" or "product" that can be "bought in" or "outsourced" to a low bidder.

    Security needs to be treated as a profession in any company with a significant cyber presence, just like the accounting them, the legal team and the core business functions. Pretending it's "just something that we can buy from a vendor" is short sighted and ignorant.

  • by preaction (1526109) on Wednesday June 25, 2014 @05:11PM (#47318789)

    I'd say the aerospace industry is dealing with it a lot better than the software industry. Perhaps we should get held up to the same standards, maybe then we could earn the title of "(Software) Engineer".

  • by Opportunist (166417) on Wednesday June 25, 2014 @05:41PM (#47319047)

    Sorry, and I know I'll be very unpopular for this, but the blame is on YOU. Yes, YOU. You there who always have to buy the latest and greatest turd that someone puts into a shiny, sleek piece of plastic and calls it the NEW $whatevergadget. As long as you buy buggy, crappy, spyware-attracting, insecure shit just because OHHHH! SHINY! you get what you deserve.

    Welcome to capitalism. If I can sell you a piece of turd that stinks, why should I waste money on perfume?

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)

Working...