Comments on: Security is productized, so real research is hampered http://infosecplace.com/blog/2007/03/02/security-is-productized-so-real-research-is-hampered/ Commentary on the State of Information Security Thu, 02 Feb 2012 20:22:19 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Cutaway http://infosecplace.com/blog/2007/03/02/security-is-productized-so-real-research-is-hampered/comment-page-1/#comment-13274 Cutaway Sat, 03 Mar 2007 07:12:46 +0000 http://infosecplace.com/blog/2007/03/02/security-is-productized-so-real-research-is-hampered/#comment-13274 LonerVamp definitely hit the nail on the head. Security Research teams are cost effective for all companies. They are not going to find everything. Heck, they may only find the "sexy" stuff that is exploitable. But, if the code is already broken, and you have to fix it anyway, why would you want to spend more money on lawyers when you could have spent it on improving the product and investigating the root cause (hello SDLC!)? That does not sound cost effective and perhaps a few CFOs should be looking into it. Don't worry, Vet. We feel your pain and, as a Marine, I have a few pointed and disgusting words you can use in your next article. Just drop me a line and I'll fill you in. :) Go forth and do good things, Cutaway LonerVamp definitely hit the nail on the head. Security Research teams are cost effective for all companies. They are not going to find everything. Heck, they may only find the “sexy” stuff that is exploitable. But, if the code is already broken, and you have to fix it anyway, why would you want to spend more money on lawyers when you could have spent it on improving the product and investigating the root cause (hello SDLC!)? That does not sound cost effective and perhaps a few CFOs should be looking into it.

Don’t worry, Vet. We feel your pain and, as a Marine, I have a few pointed and disgusting words you can use in your next article. Just drop me a line and I’ll fill you in. :)

Go forth and do good things,
Cutaway

]]> By: Alan Shimel http://infosecplace.com/blog/2007/03/02/security-is-productized-so-real-research-is-hampered/comment-page-1/#comment-13267 Alan Shimel Sat, 03 Mar 2007 05:13:47 +0000 http://infosecplace.com/blog/2007/03/02/security-is-productized-so-real-research-is-hampered/#comment-13267 Michael- you don't have to apologize to me about the language. Its your blog, you write what you want. You have to make your own peace with the man ;-) Michael- you don’t have to apologize to me about the language. Its your blog, you write what you want. You have to make your own peace with the man ;-)

]]> By: LonerVamp http://infosecplace.com/blog/2007/03/02/security-is-productized-so-real-research-is-hampered/comment-page-1/#comment-13179 LonerVamp Fri, 02 Mar 2007 15:37:38 +0000 http://infosecplace.com/blog/2007/03/02/security-is-productized-so-real-research-is-hampered/#comment-13179 Don't forget last year's David Maynor/Cache and Apple fiasco. That's now three years and three major cons that have experienced this frustration. And these are only the wide-spread and known cases. Much like the RIAA and MPAA are slow to move and react to technology and end up being very heavy-handed in their dealings with people they typically look down upon, so too are many businesses coping more slowly than I think they will admit when it comes to things like security and the disclosures of. I think it will just take time (sadly, too much time) for people and thus companies to get used to the reality of security in a digital world. This stuff just is. It happens. It will always happen. It doesn't have to mean that one mistake drops your stock price x points. It will take time for more people to deal positively to such things and accept a little outside criticism. It makes me mad too. Hell, how much money would it have taken for each of these three incident companies to have spent to find these issues on their own? And they end up getting some free research and help! Even a piece of malware can be seen in a positive light, just like seeing a real health threat virus. We can then look at it, learn from it, and work to prevent it. Don’t forget last year’s David Maynor/Cache and Apple fiasco. That’s now three years and three major cons that have experienced this frustration. And these are only the wide-spread and known cases.

Much like the RIAA and MPAA are slow to move and react to technology and end up being very heavy-handed in their dealings with people they typically look down upon, so too are many businesses coping more slowly than I think they will admit when it comes to things like security and the disclosures of.

I think it will just take time (sadly, too much time) for people and thus companies to get used to the reality of security in a digital world. This stuff just is. It happens. It will always happen. It doesn’t have to mean that one mistake drops your stock price x points. It will take time for more people to deal positively to such things and accept a little outside criticism.

It makes me mad too. Hell, how much money would it have taken for each of these three incident companies to have spent to find these issues on their own? And they end up getting some free research and help! Even a piece of malware can be seen in a positive light, just like seeing a real health threat virus. We can then look at it, learn from it, and work to prevent it.

]]>