Serious Security Problems
© Copyright Frank D. Kanu 2000-2008
Classic.
How can you look at yourself in the mirror knowing that your software has a vulnerability but doing nothing about it? How can you even sleep tight a night?
Over and over again have I witnessed developers been ordered to stop testing software—because the management did not like the fact that they discovered uncounted bugs and vulnerabilities.
Brian Tracey said:
So - what is the purpose of a company not revealing known security issues for several months?
Taking a closer look we can come up with a few possibilities:
There are some “managers” seeing that there are problems with their software - they look for other ways of making money, like consulting. That does not fix the problems in the software but increases short term revenue.
The sleaziness and stupidity in the software development has taken a turn which turns my stomach:
Technorati (All Links are external): appropriate education brian tracey bugs checksum costs money customer profits decreases developers developing software education problems encrypted encryption honesty hours spent i do not know import program jeopardy knowing mirror missing the point mistake money money software necessities plain text possibilities reputation security issues security problems serious security sleep tight small software software development software developments software engineering spreadsheets stomach stupidity take time takes time taking a closer look testing software unspoken vulnerabilities vulnerability web based software business it
Although we were disappointed to learn that you guys had known about this vulnerability for several months and did not notify us. [Or fixed it!]
Classic.
Scary.
How can you look at yourself in the mirror knowing that your software has a vulnerability but doing nothing about it? How can you even sleep tight a night?Over and over again have I witnessed developers been ordered to stop testing software—because the management did not like the fact that they discovered uncounted bugs and vulnerabilities.
Brian Tracey said:
“The purpose of a business is to create and keep a customer. Profits are a measure of how well a company is fulfilling its purpose.”
So - what is the purpose of a company not revealing known security issues for several months?
Taking a closer look we can come up with a few possibilities:
- It costs money.
- It takes time.
- It damages reputation.
- It decreases sales to old and new customers.
- The design has to be changed.
- Data has to be stored differently.
- Our users do not try to find bugs.
So let me get this straight: Some-one decides that it will cost money and smaller the profit to go ahead and fix security issues.
Software developments driven by managers whose decisions are driven by costs instead of necessities are more then dangerous. Usually they are suicidal.
Following the appropriate procedures of designing and developing software the time needed could have been minimized.
I once experienced a company refusing to write a small software (40 hours) to set up the database for a new customer. Instead they used faulty spreadsheets and filled to database with an import program. Every import needed manual correction. On average there were 10 hours spent per new customer. Did they really save time? Or money?
Of course it does!
Every mistake you make can cost you your reputation. But what damages more: Announcing today or waiting months and putting the customers business into jeopardy?
Only if you are dishonest about it! There are many products out there which were faulty, fixed and sold again.
While many people understand that software has bugs being honesty about security issues is what helps you to keep selling your software.
Then do it, but get it right! See it for the opportunity it is, and include the customers to get a design which can serve their needs.
This brings you back to an incorrect design at the beginning. Designing and database designing are difficult tasks which take time and cost money.
There is this one web based software transferring personally data (complete resume) over the wire without any encryption of the data. And then the only solution they came up with is to use a checksum - the data is still not encrypted - thus still not secure at all. How did that protect the users privacy? Not to mention that the data was and still is stored in plain text.
What a nice way of missing the point! The people trying to find bugs are named testers, not users.
What do you think will happen when any one of the Federal agencies has an audit? Or a user finds a lawyer with too much time on their hands?
There are some “managers” seeing that there are problems with their software - they look for other ways of making money, like consulting. That does not fix the problems in the software but increases short term revenue.
The sleaziness and stupidity in the software development has taken a turn which turns my stomach:
- The majority of the developers are not worth their money.
- Software development is engineering:
- Problems are avoided and stay unspoken:
Engineers need and get an appropriate education.
What I don’t know about can’t be happening.
When in the last years did we miss raising our voices to make it clear that this is the wrong way of doing software engineering?
Tags:
appropriate education brian tracey bugs checksum costs money customer profits decreases developers developing software education problems encrypted encryption honesty hours spent i do not know import program jeopardy knowing mirror missing the point mistake money money software necessities plain text possibilities reputation security issues security problems serious security sleep tight small software software development software developments software engineering spreadsheets stomach stupidity take time takes time taking a closer look testing software unspoken vulnerabilities vulnerability web based softwareTechnorati (All Links are external): appropriate education brian tracey bugs checksum costs money customer profits decreases developers developing software education problems encrypted encryption honesty hours spent i do not know import program jeopardy knowing mirror missing the point mistake money money software necessities plain text possibilities reputation security issues security problems serious security sleep tight small software software development software developments software engineering spreadsheets stomach stupidity take time takes time taking a closer look testing software unspoken vulnerabilities vulnerability web based software business it
This blog-entry is protected by a digital fingerprint:785273ed81985582c8a1be62f78c9459
