Stress afflicts security bosses

By all means, let's not hold the software manufacturers, uh Microsoft, that market these security hole riddled packages accountable.

Let's blame the guy/gal doing their level best given budget and staffing restraints to guard the gates against any number and type of asymmetric attacks.

I also blame the idiot users who don't think twice about phishing attacks, replying to spam, or installing that ActiveX script because they think they need it to browse a website.

They think security is someone else's problem. That attitude has to change.

That is a corporate mentality issue.

The first thing that needs to happen on that front is that the folks at the top need to grow a set and lay down concrete rules about such things that carry concrete penalties if violated.

I know this sounds harsh but once you've spent 72 hours straight cleaning up the worst of the problem and weeks afterward catching the stragglers you begin to understand the financial cost of being so lax.

By all means, let's not hold the software manufacturers, uh Microsoft, that market these security hole riddled packages accountable. Let's blame the guy/gal doing their level best given budget and staffing restraints to guard the gates against any number and type of asymmetric attacks.

Uh, get real. Many of these so-called "security bosses" have their heads up their asses and don't know what measures they should be taking against security threats. Examples ... allowing attachments to pass through the corporate email servers without being quarantined ... allowing their users to run with admin privileges ... not requiring adequate password policy ... not using an adequate firewall ... not filtering allowable user-browsable websites at the proxy ... not establishing corporate standards to establish allowable applications ... etc.

The first thing that needs to happen on that front is that the folks at the top need to grow a set and lay down concrete rules about such things that carry concrete penalties if violated.

Absolutely! Rationally *implemented* corporate security policy can eliminate the vast number of threats. Trouble is, many companies either don't have such policy -- or they fail to implement it. You can't blame the vendor for that. That's just poor management.

Uh, I am real.

While your point about some security bosses is spot on, a large number of security holes are present in the software when it is released to the market.

It happens frequently and with little to no consequence to the software vendor.

As for corporate policies. Most security bosses can only suggest policy, it is up to their bosses to trust they know what they are talking about and implement their suggestions which many are reluctant to do due to PC BS. And I don't mean Personal Computer.

P.S.
They way you started your rebuttal was a perfect example of one with something up HIS ass.
Grow Up.

Uh, I am real.

No, you're not. You're blaming software vendors for some problems that legitimately belong to failure to implement appropriate corporate security policy.

While your point about some security bosses is spot on, a large number of security holes are present in the software when it is released to the market.

There will *always* be a large number of security holes in any software. Doesn't matter whether it's open or closed source.

They way you started your rebuttal was a perfect example of one with something up HIS ass. Grow Up.

By your logic a car manufacturer should not be held responsible if the front axle breaks every time a driver makes a left hand turn.

That driver should simply have exercised better driving discipline and stopped making lefts.

By your logic a car manufacturer should not be held responsible if the front axle breaks every time a driver makes a left hand turn.

Your analogy is flawed. You're actually because some kid jimmied the car door and took the car for a ride. In your mind, apparently, the car manufacturer should have provided a break-in-proof automobile; otherwise, it's "flawed".

I would disagree with your analogy also.

I can take steps to protect my car by locking the doors, placing it in my garage, using an alarm system, etc and admittedly many don't take these obvious steps and that's their problem.

However, if the manufacturer sends it's cars out of the factory with so many vulnerabilities that an industry is created that does nothing else but research into where those vulnerabilities are and development of products to protect against those vulnerabilities, I'd say the SW vendors are neglecting to do due diligence during the development and testing of their products.

In the end there is more than enough blame to go around on this topic. But your seeming refusal to place any of the responsibility on the SW vendors is shortsighted and can only lead me to one conclusion.

You are somehow involved in the SW industry, most likely the development end somewhere.

I would disagree with your analogy also.

Of course you do. You're disagreeable.

I can take steps to protect my car by locking the doors, placing it in my garage, using an alarm system, etc and admittedly many don't take these obvious steps and that's their problem.

That's precisely what I'm talking about! Those "steps" are analogous to "rational implementation of security policy"! Nobody ever claimed that the car was break-in-proof. But you [unrealistically] expect it to be when you blame GM or Ford or whoever made it.

However, if the manufacturer sends it's cars out of the factory with so many vulnerabilities that an industry is created that does nothing else but research into where those vulnerabilities are and development of products to protect against those vulnerabilities, I'd say the SW vendors are neglecting to do due diligence during the development and testing of their products.

Consider it this way. If a thief spends his entire day thinking of ways to break into your car, there's very little that you can do to prevent him from doing so -- other than widening the perimeter of security around your car. As you said, lock it (use strong passwords), place it in a garage (firewall), use an alarm system (monitoring and notification), etc. You don't blame the car manufacturer for people discovering that, if you put a crowbar in the door jam, it's possible to pry it open. You don't blame the car manufacturer for people discovering that twisting a small piece of wire will open the lock. You don't blame the car manufacturer for people discovering that if you hit the window with a blunt instrument hard enough, it will crack and allow them to enter the vehicle.

In the end there is more than enough blame to go around on this topic. But your seeming refusal to place any of the responsibility on the SW vendors is shortsighted and can only lead me to one conclusion.

Manufacturers should do their due diligence to secure their products; however, you're being totally unrealistic about this whole thing. Anybody who thinks it's possible to ship with zero bugs is loony. So NO software would ever be good enough.

You are somehow involved in the SW industry, most likely the development end somewhere

Duh. Do you think? /SARCASM

Caffeine is not always our friend.

You may want to modify your intake.

P.S.
If you get out from behind your desk more often you may learn how to interact with PEOPLE on a level that makes you less obnoxious.

/end

Look, cube-dweller, I probably do a lot more interaction with people in the industry than you do. And the fact of the matter is that you're being unrealistic. *Every* OS and *every* application has serious security issues. That you seem to be oblivious to this fact indicates that you spend a little too much time in your cube.