- Status
)buckinbottoms
i completely agree that the companies need to secure their systems first, but as has been established, this was a very sophisticated attack involving several layers of infiltration, not just on the software side. More importantly what i think you underplay here is the possible harm that results from an attack that steals IP, had they just hacked the system for sabotage purposes then yes no harm, but what actually occurred was theft of IP, and theft of IP can become a national interest if that IP is what keeps a country competitive
i completely agree that the companies need to secure their systems first, but as has been established, this was a very sophisticated attack involving several layers of infiltration, not just on the software side. More importantly what i think you underplay here is the possible harm that results from an attack that steals IP, had they just hacked the system for sabotage purposes then yes no harm, but what actually occurred was theft of IP, and theft of IP can become a national interest if that IP is what keeps a country competitive
sinman
Distinguished
- Oct 6, 2009
- 19
- 0
- 18,510
[citation][nom]Curnel_D[/nom]You can't make software infallibly secure. It's impossible. By your same methodology, you could blame a bank being robbed cause they leave the doors unlocked, or a woman having been violated, because she wasn't wearing a burka. People have to live their lives, conduct business, improve. If software companies spent all their time trying to keep their software 100% secure, there would be zero innovation. The only way to combat this is to make sure there are serious consequences to illegal hacking. The face value tells us we need better security, but common sense and wisdom tells us that we have to take a middle ground to move forward.[/citation]
100% secure software does not exist. Security is directly proportional to accessibility. 100% secure software will be software with so many restrictions that it would be useless with no functionality. So its not a question of innovation. Innovation doesn't even have anything to do with it.
There will always be security flaws in code, for two main reasons.
1)Companies are not gonna push back their deadlines to meet security standards.
2)They are not going to waste an entire budget on it.
Most coders don't pay attention, or don't have a full understanding of how exploits work to make their code better. All they can do is follow the best practices. But at the end of the day there is always going to be a buffer overflow, heap stack, sql injection vulnerability lying there somewhere.
100% secure software does not exist. Security is directly proportional to accessibility. 100% secure software will be software with so many restrictions that it would be useless with no functionality. So its not a question of innovation. Innovation doesn't even have anything to do with it.
There will always be security flaws in code, for two main reasons.
1)Companies are not gonna push back their deadlines to meet security standards.
2)They are not going to waste an entire budget on it.
Most coders don't pay attention, or don't have a full understanding of how exploits work to make their code better. All they can do is follow the best practices. But at the end of the day there is always going to be a buffer overflow, heap stack, sql injection vulnerability lying there somewhere.
curnel_D
Distinguished
- Jun 5, 2007
- 741
- 0
- 18,990
[citation][nom]sinman[/nom]100% secure software does not exist. Security is directly proportional to accessibility. 100% secure software will be software with so many restrictions that it would be useless with no functionality. So its not a question of innovation. Innovation doesn't even have anything to do with it. There will always be security flaws in code, for two main reasons.1)Companies are not gonna push back their deadlines to meet security standards.2)They are not going to waste an entire budget on it.Most coders don't pay attention, or don't have a full understanding of how exploits work to make their code better. All they can do is follow the best practices. But at the end of the day there is always going to be a buffer overflow, heap stack, sql injection vulnerability lying there somewhere.[/citation]
Useless software with no functionality won't sell. If it doesn't sell, then it's not even a software release. Innovation has everything to do with it. Either it's software, or it's useless lines of code. It can't be both. So if we have useful software, they have to direct their focus. Their focus could be all on Security, in an effort to keep it 100% secure, or it could be all in research, constantly looking towards the next best thing without caring about support releases. Fortunately, most software companies take the middle road, and try to get the best of both. Innovation.
Useless software with no functionality won't sell. If it doesn't sell, then it's not even a software release. Innovation has everything to do with it. Either it's software, or it's useless lines of code. It can't be both. So if we have useful software, they have to direct their focus. Their focus could be all on Security, in an effort to keep it 100% secure, or it could be all in research, constantly looking towards the next best thing without caring about support releases. Fortunately, most software companies take the middle road, and try to get the best of both. Innovation.
sinman
Distinguished
- Oct 6, 2009
- 19
- 0
- 18,510
[citation][nom]Curnel_D[/nom]Useless software with no functionality won't sell. If it doesn't sell, then it's not even a software release. Innovation has everything to do with it. Either it's software, or it's useless lines of code. It can't be both. So if we have useful software, they have to direct their focus. Their focus could be all on Security, in an effort to keep it 100% secure, or it could be all in research, constantly looking towards the next best thing without caring about support releases. Fortunately, most software companies take the middle road, and try to get the best of both. Innovation.[/citation]
What your trying to say is if a software release is not "Innovative" it is "useless lines of code" ? I care to defer, when you say innovation that means something revolutionary and new. There have been many rehashes of old programs done/coded in "better" ways. Which can range from efficiency to program size. Innovative? Not even close. Useless? No.
So I still can't understand why you keep trying to create a relation between innovation and secure software.
You then suggest companies should do 2 things:
1)Focus all on security.
That would mean programmers will have to be offered intense training on how to code securely while being able to guarentee that the programmers will implement what they learned into their coding, taking into account that training will never be enough.
Hiring a team of penetration testers to pentest the end product within a specific time frame, which is hardly enough time to complete the testing phase compared to what thousands of consumers/ public individuals can do.
Have a research department to continuously search for new types of exploits.
As you can see this is something beyond the scope of a company offering non-security related software. Hiring a 3rd party security firm to do all the following would cut revenues so hard that the corporate executives would have to refuse to.
2)Not caring about support releases.
This can't be done. Lets say you create Adobe, it becomes widely acclaimed and everybody around the globe enterprises/home users alike. There is an exploit, millions are lost from multi-billion corporations. You just lost your userbase. Espicially if they know that no support releases/patches/hotfixes are going to be released.
And that is why they follow the middle road. Its just not worth it trying to make steel-belt coded software when it will only be 95% secure.
That is why the world works the way it does. Your black and white comparisons lack depth, and don't make any sense especially while your talking about something as shady as information security. On another note, I'm not flaming you as it is hard to convey tone on the boards. Just a friendly debate/conversation.
What your trying to say is if a software release is not "Innovative" it is "useless lines of code" ? I care to defer, when you say innovation that means something revolutionary and new. There have been many rehashes of old programs done/coded in "better" ways. Which can range from efficiency to program size. Innovative? Not even close. Useless? No.
So I still can't understand why you keep trying to create a relation between innovation and secure software.
You then suggest companies should do 2 things:
1)Focus all on security.
That would mean programmers will have to be offered intense training on how to code securely while being able to guarentee that the programmers will implement what they learned into their coding, taking into account that training will never be enough.
Hiring a team of penetration testers to pentest the end product within a specific time frame, which is hardly enough time to complete the testing phase compared to what thousands of consumers/ public individuals can do.
Have a research department to continuously search for new types of exploits.
As you can see this is something beyond the scope of a company offering non-security related software. Hiring a 3rd party security firm to do all the following would cut revenues so hard that the corporate executives would have to refuse to.
2)Not caring about support releases.
This can't be done. Lets say you create Adobe, it becomes widely acclaimed and everybody around the globe enterprises/home users alike. There is an exploit, millions are lost from multi-billion corporations. You just lost your userbase. Espicially if they know that no support releases/patches/hotfixes are going to be released.
And that is why they follow the middle road. Its just not worth it trying to make steel-belt coded software when it will only be 95% secure.
That is why the world works the way it does. Your black and white comparisons lack depth, and don't make any sense especially while your talking about something as shady as information security. On another note, I'm not flaming you as it is hard to convey tone on the boards. Just a friendly debate/conversation.
curnel_D
Distinguished
- Jun 5, 2007
- 741
- 0
- 18,990
[citation][nom]sinman[/nom]On another note, I'm not flaming you as it is hard to convey tone on the boards. Just a friendly debate/conversation.[/citation]
I think this is the gist of it. From what I can tell, you've completely misread my last two posts. Which is fine, I understand. But I don't think we're actually disagreeing on anything. lol
I think this is the gist of it. From what I can tell, you've completely misread my last two posts. Which is fine, I understand. But I don't think we're actually disagreeing on anything. lol
- Status
TRENDING THREADS
-
-
Review AMD Ryzen 7 9800X3D Review: Devastating Gaming Performance- Started by Admin
- Replies: 150
-
-
-
Question Can't create a volume on WD BLACK SN770 using any tool
- Started by RPGJerico
- Replies: 9
Facebook
Twitter
Instagram