The Security Industry Is Failing Miserably At Fixing Underlying Dangers 205
cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.
Re:In other news, water is wet. (Score:3, Interesting)
Well what else is there to do? The Security guys have to deal with a plethora of headaches, including demanding (but clueless) PHBs, commercial software houses whose idea of secure code is to patch it only after holes are found/exploited, and the need to make these things usable.
I mean, seriously - you can make something uber-secure, but you still gotta use the thing.
Besides, the most substantial underlying problem isn't the software, but the idiot behind the keyboard, and there's no fixing that.
Mind you, I agree that software should be vetted for security flaws and issues. I detest asshat software houses who have the motto of 'Release Date Uber Alles'. I also agree that aggressive release schedules and the too-often-piss-poor implementation of Agile bears a very substantial chunk of the blame.
BUT - the days of glaringly obvious vulns are so rare now that they're pretty much nonexistent these days (with but a very small handful of exceptions.) There's also the problem that one can write the most secure software practical, but then $OS_Maker decides to patch/change something (esp. in memory-handling), which in turn opens a hole in your product that you could have never anticipated.
I think TFA did two things wrong - one, he focused on one thing when security requires focusing on multiple things he gave nary a mention to (including that big fat variable also known as the user), and two, I do think that while yeah it's fun to poke at developers and blame them for stuff, asking for them to be psychic is a bit of a stretch. I say this because most software houses are honest about how they write code, and they do at least a modicum of diligence in that direction... yet they get raked over the coals when some ungodly complex vuln pops up that no human being could have anticipated (but at least one human being managed to stumble across.)
Re:There's no money in being secure (Score:2, Interesting)
Hah. This is too rich. I'm an engineer. An actual engineer in the traditional, licensed variety. I design physical structures that are used by the general population and have to ensure that they are safe for the next 50 to 100 years. Oh, and that they will survive the next 1-in-5000 year earthquake event, etc. I have a whole lot of product liability for what I put out and I can assure you, I do not make the same amount of money as a doctor. Hell, I don't even make the same amount of money as most software developers I know. Sign me up for being a "software engineer" where the worst thing that is going to happen to me is that I will lose my job. Right now, while making less money, the worst thing that can happen to me for the work I put out is having a collapse kill a bunch of people, going to jail, losing my job, and not being able to practice engineering anymore. Care to trade?
-anonymous geotechnical engineer