symantec hack is whack is a case study

Posted on by michael

Yeah, we’ve all heard more than we need to about Symantec’s Hack is Whack campaign and the security holes found in the newborn site.

This is what I call a decently Big Deal; a sort of case study in how even a security giant is dropping a site out onto the internet that is full of holes. Certainly Symantec has security experts enough to review their code and make suggestions, or code it up properly from the start. Or at least have some oversight to slow down the process and make sure marketing has their details buttoned up, right? (I’m quite aware that marketing no doubt implemented and ran with this completely on their own, likely through a third party or even fourth party, but my point will remain…)

This really provides a horrible, sobering example of the state of things right now, especially in how important security truly is to organizations. Far too many do whatever they want, until someone pokes the soft spots and points them out. The more public or damaging, the more likely a quick response is forthcoming. And this from a security company!

I’m not going to go so far as to say this is a call to arms for security to be at the forefront of marketing in Symantec or even any organization. That’s a dreamy ideal, but not one I’m thinking is realistic at this point. No one likes security dragging the timelines out and making things complicated!

It should instead be more of a call to arms for executives to care about this sort of thing, which in turn can start permeating that cultural change in everyone else. It just doesn’t work to be 100% reactive. That is still what I call the Big Gamble in organizational security. Roll it out there and hope no one ever cares too much and finds big holes. That or the attitude that you can’t secure it yourself, so roll it out there and let others provide your QA and security testing for you. I agree you can do those approaches, but they can’t be your only approach. You’ll either continue to be laughed at, or you’ll get pwned and not know it.

I may still be a bit idealistic in my viewpoint. In larger corps, they’re just too big to play catch-up on everything that is going on. In smaller corps, they just want to survive and can’t afford to go slow or imbed security in something that may not even exist in 6 months if it fails.