Author: Wolf Language: text
Description: Developer's Security Obligations Timestamp: 2014-09-08 18:02:13 +0000
View raw paste Reply
  1. Hello,
  2.  
  3. //I've been listening to your show for a while now and really enjoy it. Lately I've been listening to it on the way to school. I am a non-traditional student and a military veteran.
  4.  
  5. Anyway.
  6.  
  7. I wanted to comment on the discussion about programmers and the duty to provide secure services.
  8.  
  9. I feel that if you are creating a service you should take an oath to "do no harm." In the medical field for example there are problems that arise because of incompetence as well as problems that arise from complications (bugs). The idea is that if you amputate the wrong leg then that is incompetence but if you take a person into the ER and give them something to save their life and they die because they were allergic to it then I think we can agree that the person would have died anyway but how many others who didn't have this allergy would be saved.
  10.  
  11. I'm thinking heartbleed vs ROT13. One was a programming error in a program that has been used and tested as regarded as a generally secure program while ROT13 might have been advanced a hundred years ago and would be a failure of an attempt at security.
  12.  
  13. Ideas:
  14.  
  15. 1. People are putting more and more information online not necessarily because they really want to but because sometimes it is built into different applications.
  16. 2. Putting things online for private use should stay private.
  17. 3. Web software is becoming very important to people for generating revenue, finding jobs (github), creating startups that Amazon might want to buy for $1Bn and if people feel that only company x can do security correctly then other startups/developers lose.
  18. 4. "Our service is secure." Doesn't mean a lot because it isn't really a defined thing. Other words like "high quality" and "organic" aren't well defined or legally defined so sometimes people think things based on their own definition. For example: "Secure" may mean different things to different people and sometimes crackers are the only one doing the audits.
  19. 1. Even if the services said how they do their security are you sure that you can trust them or did they copy that from another site.
  20. 2. Would the average person know the security implications of: "All passwords are enciphered using ROT13 and stored on our Windows XP Pro server." And for that matter would a well meaning but security inept developer.
  21. 5. Developers need to realize that mal actors are always trying to break their programs.
  22. 6. Security cannot be sometime we try to implement but do so poorly. I get that the next great web app's developers might not know security that well but...
  23. 3. Possibly tell users the basics of what is being done security wise but that you aren't a security expert and that your grocery list might be OK but probably not nudie pics unless you are OK with sharing.
  24. 4. ask for help from people you trust
  25. 5. keep an eye out for recent bugs and vulnerabilities. I'm thinking of the taxi cab thing from a few episodes ago. Allan had a lot of info about how to do that better. I'm sure there are a few "how not to do security" sites on the internet to look through.
  26. 7. Encryption is available for everyone to use and people should be taught about it and be allowed to use it if they know and understand what it is (iCloud).
  27.  
  28. Questions:
  29.  
  30. 1. Many tools we use (iCloud) aren't very transparent about how things are done and should we assume that these tools are secure or insecure?
  31. 2. Will increased security concerns shrink the cloud market? There was a push / idea that we could just push everything to the cloud and let someone else deal with it. Now everyday, it seems, there is a company / service that is getting compromised. I think many people and businesses are realizing that the only one that truly care about your data is you.
  32.  
  33. -killaken2000
View raw paste Reply