The InfoSec Blog

“Security theater”? That’s one of Bruce Schneier’s lines. I’m surprised he hasn’t mentioned this at his blog.

Technorati Tags: security, australia, les bell, Bruce Schneier, policy

http://www.theregister.ca/2007/10/25/online_trading_pen_test/

The comments about whether or not the coders are responsible or should have raised red flags is interesting.

But my say is that part of the problem is in the style of project management. I was fortunate that my early work in military avionics DID give the lower level people a context view. (And you wonder why I say “Context is everything“?) In later jobs where I was compartmentalized and told “you don’t need to know the big picture, just code your bit” I found two things. One - that it was very frustrating and two - that by looking at the big picture I could produce something more effective even in my little corner. Oh, and three - I could see systemic and strategic flaws, which usually upset the ’senior’ people who should have caught them in the first place.

We have critics of the CISSP certification who claim that its not technical enough. But really our job is not secure coding but secure SYSTEMS.

As in: Certified Information SYSTEM Security Professional

Like the (ISC)² site says, ‘Security transcends technology’. Its not just about coding but the whole security stance. Security is everyone’s responsibility.

But suppose that a coder does raise a red flag and management - whatever level - turns round and reprimands them for questioning a poor, incomplete, ambiguous or just plain wrong spec? I’ve seen such specs bring down a company here in Toronto because when all the parts come together it doesn’t work. Writing specs for a larger project is not easy. It requires a particular ‘vision’ and discipline.

One of the comments to the article says:

It’s up to the people who have the overview - the architects and senior
developers - to make sure the spec given to coders meets the real
requirements. So definitely, hang the architect out to dry.

Although what probably happened is that the customer didn’t bother with a
qualified systems architect. They took Joe from accounting who has a
computer at home and is therefore an expert, had him draw up the spec, which
was then forwarded to coders directly.

Yes, I’ve seen that happen - many times. A cobbled together database in dBASE gets scaled up to Oracle … and things go very wrong because it wasn’t ‘designed’ and not thought was given to the complete set of ‘use cases’. Or Visual Basic, or javascript or some other “easy to use” tool in the hands of people who don’t have a complete understanding.

Read the rest of the comments to the article for yourself. There’s a lot there that is pertinent to coding and to banking.

http://news.com.com/Schneier+questions+need+for+security+industry/2100-7355_3-6179500.html

“We shouldn’t have to come and find a company to secure our e-mail. E-mail should already be secure. We shouldn’t have to buy from somebody to secure our network or servers. Our networks and servers should already be secure.”

and

“Security is a small but important piece of the bigger picture,” Schneier said. He added that consumers shouldn’t accept any product that is inherently insecure.

Dumb Dumb Dumb!
You can’t fight basic economics!

In my Quotes Database

Be very glad that your PC is insecure—it means that after you buy it, you can break into it and install whatever software you want.
What YOU want, not what [content providers] want.
– John Gilmore of the EFF

Amusing, yes, but true.
And in a deeper way.

When the PC came out it was shipped as a very crippled system but an OPEN SYSTEM. You could easily open it up and plug stuff in. This meant there
was opportunity for third party developers, hardware and software, and upgrade path. A whole ‘ecosystem’ grew up around the PC. The threshold to entry was low - hence much freeware and shareware and a massive amount of experimentation. The fact that it was crippled actually encouraged developers.

Contrast this with the closed system of the MAC when it came out. Look at the market share.

We can see this in economic history as well. Countries and eras where power and control mattered more were not economically aggressive. The most obvious example is cold war era USA and The Soviet Union, but there are many others through history. Its not about “freedom” in the sense that Tom Paine and the American Founding Fathers wrote of it so much as freedom to prosper. Hong Kong under British rule demonstrated that. Economic growth without the need for USA-style or any of the European styles of “democracy”.

The issue isn’t that software products are insecure. That is an emergent property of the economic system that allows their development; as people here have pointed out many times, the market pays for what it wants wants. Commenting on certain types of firewalls, Marcus Ranum has observed that people are more willing to pay for speed than security. (And why do people pay for cars that can go faster than our roads will safely permit?)

Perhaps “closed” isn’t quite the right term. Apple’s iPOD is a closed unit, but there is a vast market of third party add-on units for it. The iPOD economic ecology is very rich, rich enough to allow competitors (look how many other MP3 players there are).

But the point is that a product strategy that allows for this “let others add value” is a sound one. In many ways its better than having a closed system and worrying about your “channels” because the developers of these add-ons are doing your marketing for you.

Read the rest of this entry »

This white paper moves away from the relgious fervour of the geeks to the B-School reasons for open source.

This white paper will demystify the concepts of open source for readers—especially those in Finance—who are unfamiliar with the movement’s principles. The paper will then explore the ways in which open source concepts can be applied to the area of business performance management (BPM)—the set of processes, including budgeting, forecasting, and reporting, that financial and operational managers use to make decisions and run their businesses. Finance readers will learn how they can harness open source to provide a new alternative to solve longstanding BPM problems, while IT readers will learn how to apply their open source knowledge to support their Finance organizations.

Registration is required to download the white paper.

Technorati Tags: open-source

Those of you who haven’t visited Rob Bergeners VMyths.com site should do so. http://www.forbes.com/home/free_forbes/2006/0605/100.html

To sell antivirus software, first you must sell the fear. Verisign, the intrepid Web security giant, issued an ominous warning in December. It predicted an imminent invasion by a worm called Sober, which would infect networks worldwide and clog up the Internet. It would be timed to coincide with the 87th anniversary of the founding of the Nazi party.

Yes, the Nazis are a big “Fearsome” monster still in the minds of many people.

Other firms joined in a chorus of worry, offering an abundance of soundbites for news outlets.

As in ‘not to be outdone’

Neither outbreak ever occurred. Two small security software outfits claimed credit for blocking thr Kama Sutra virus

I have an sure-fire Elephant repellent to prevent Elephants stomping over your garden. Works great 40 degrees and further north in areas with plenty of rain and the occasional rose bush….

Vincent Weafer, who runs the security response division at Symantec (nasdaq: SYMC - news - people ), the world’s largest seller of antivirus software, concedes both threats were duds and that his rivals overhyped them.”To get attention, you pick something new and say the sky’s falling down,” he says.

Oh WOW. Honesty. But anyway, spend a few days - hours? - reading VMyths.com