Security is hard right?

Security is hard right? It must be or everybody would be doing it right. OWASP have released their new Top 10 web vulnerabilites for 2010, which still contains 7 of the items in the top 10 from 2007 and 6 items from the 2004 top ten. Progress in educating developers and eliminating some of the biggest threats seems slow. I'm not sure why.

I (along fellow Security Circus poster Richard) recently spent a day working our way through some rather incomplete and arcane documentation from a large software vendor trying to determine how they required SSL to be implemented between both the seperate elements of their product and the endpoint clients.
Between poor documentation, requiring OpenSSL & Java KeyStore/keytool and the software not trusting common 3rd-party CAs (such as Verisign), it was a long and frustrating experience. And that was for two guys with a reasonable understanding of PKI. For a developer or sysadmin who was new to security or unsure about PKI in general it would have been a nightmare.

The knowledgebase for the product was not much better, leaving me with little doubt that while many people may understand the need for security, the 'how' can be sorely lacking - and is not helped when the software developer/vendor (or integrator) seems to have little grasp of security themselves - or a disinclination to explain the details to their customers.

It reminds me a little of a UNIX sysadmin I worked with many years ago, before I was full-time in IT, who was so secretive about the system and how it worked he had three assistants quit in 12 months out of frustration. Was it secretive paranoia or simply keeping the 'knowledge' to himself as a power trip? (personally I suspect the latter...)

While there are always elements of security and IT in general that require secrecy, the how is not one of them. Explaining how to implement security so even a home user (or my Mom!*) can easily understand it and follow the steps is a good thing.

*Actually my Mom isn't too bad with her PC!

0 comments:

Post a Comment