Content

Letters

Share

From the online mail bag

In response to a June 2 news story, Software crack site hides malware repository:
I would have to say that many of the warez and crack sites are like this. It's nothing new and has been going on for years. As for me, I could hardly care. It serves people right for trying to pirate software keys and cracks. Oftentimes, I go to such sites just to test out a new anti-virus client or update against the latest threats online. It really is a great way to test out security software.
Computer Repair Man

In response to a May 14 news story, Scam sites increasingly masquerading as Facebook, MySpace:
This is an interesting, if not unexpected, trend. What makes it more confusing is that many major sites place some of their content in subdomains, making it even more difficult to confirm that you're on the ‘real' site. That's probably a lesson for those of us who design and build websites.
Anne Easterling

In response to a May 13 news story, Nearly half of IT security budgets deemed insufficient:
Organizations that reduce their security budgets are likely trading lower costs for higher risk today, which may translate into incidents and higher losses in the future. Is the security staff held accountable for this increased risk? This seems like the biggest source of stress for an administrator – operating with the same accountability, with higher risk and fewer resources.

Granted, some companies need to cut costs across the board to survive, or they'll default on their obligations. In that scenario, keeping the security budget intact is not realistic. But I'd ask: how are organizations assigning responsibility for the new level of acceptable risk? If it doesn't rest with the business, this is a sign the organization may lack the ability to recognize when it has cut too far.
Jeff Reava

Since the threats faced by most organizations continue to grow, and the complexity of systems keeps increasing, I find it staggering that many security professionals are “sleeping like a baby.” It is not like I want them up all night, but it seems that they should be ever vigilant and worried, since it is a dangerous world.
Arthur

In response to a May 18 Opinion column, Open letter to vendors on software security, by Andrew Storms, nCircle:
I agree with much of what you've said here about the state of ‘our' industry. But you seem to set ‘us' security people against ‘them' vendors. Building security software requires a collaboration of development, security and business people.

There is a widely held, misguided belief that applications are secure unless someone finds a problem. It's the equivalent of the default-allow firewall setup, and it has dominated the commercial software industry for many years. This is what your letter should challenge the software industry to change. We shouldn't have to trust software without evidence about the people, processes and tools used to design, build and test it. Without transparency, visibility and evidence we can trust nothing.

Your message only challenges vendors to treat the symptoms faster and measure them better. We have to get past the symptoms and eliminate the root causes of insecure software. We must enable our developers to create secure code with standard security controls, training and positive standards. We need to spend at least as much time designing and building security as we do searching for problems. We need to stop hacking stuff and start focusing on the breadth and depth of security verification. And we need to stop making security risk and spending decisions based exclusively on spotty information about security issues.

A few leading organizations have figured out that in today's market, they can cut software development costs and also reduce their risk by following these recommendations. You can spend your entire appsec budget chasing vulnerabilities and you'll still get increasingly less secure. The time has come for the ‘insecurity community' to change and for ‘us' to start generating real assurance.
Jeff Williams

In response to a May 15 news story, California water company insider steals $9 million:
How could he be employed by the water company if he was an illegal alien and ordered to be deported four years ago? Raises many a question for their HR department.
George

In response to an April 9 news story, Conficker worm updated to send spam, hawk fake AV:
If you are infected with scareware, the software will falsely inform you that your system is infected with viruses other than itself. So you are actually infected, but the infection falsely warns of other infections, and promises to clean them when you purchase.
Ryan

In response to an April 10 news story, Survey finds that SMBs often lack basic security:
This shouldn't be a shock. In addition to having dedicated technology teams, large companies are typically under greater scrutiny to ensure regulatory compliance. Further, increasing security budgets in these smaller business entities won't help if non-technical managers continue to determine security strategy and control implementation.
Tom Olzak


The opinions expressed in these letters are not necessarily those of SC Magazine.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.