The Security Industry Is Failing Miserably At Fixing Underlying Dangers 205
cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.
Re:What's the solution? (Score:5, Informative)
Well companies can do much more to improve on that front though.
1. Architect the product, not just build it. All too often the focus is on meeting business objectives and security is added later. An product that was well thought-out and designed handles security as part of the core design as well as the business objectives.
2. No Back door, design the program so the programmers can't get in without having rights to do so. The password DB should be only managed by the computer and humans shouldn't be able to figure it out.
3. Infrastructure planning. The Website shouldn't also be the Database server. The Database should only allow access from select sources, and give permissions that are appropriate to the user.
4. Plan for failure. Figure if someone breaks into the system find way to minimize the impact. Make sure the Salt for your hashes are hard to find, etc...
Re:"an industry luminary" (Score:5, Informative)
Uh, Gene *IS* an expert. He was one of the first guys to dissect the Morris worm, for example. He's been around from the beginning.
http://en.wikipedia.org/wiki/Gene_Spafford [wikipedia.org]
Maybe you should go FIND a fuck to give.