the big gamble of security

Gawker recently had an issue that exposed the security of their web code (and overall posture) as crap. Not surprising. Reading the >comments to an article about it on The Register also yields no surprises.

There are plenty of managers and others who don’t understand the consequences and risks of not paying proper respects to security. They truly do need educated.

But there are others who *do* understand the risks, and who *still* make decisions that leave security lacking. This is what I call the big security gamble. And it is just a matter of the risk a company wants to accept, or at least put off until such a time (if ever) that something does happen. See, it’s that “if ever” part that really starts the shoving matches. In security, we really should be talking about the inevitability of an incident. But human nature won’t necessarily accept that inevitability. You really might be able to go for many, many years without suffering (or at least knowing you suffered) an incident. Kinda like not having car insurance and yet still driving…

It’s hard to argue that deadlines should be pushed in order to get security done right, especially when a product may be new and no one even knows if it is viable yet or going to succeed at all! What comes first, the product (and resultant revenues) or security spend? [I like to also say, to head off a natural line of argument: which comes first, learning how to assign a variable or learning how to assign a properly bounded and verified variable?] Of course, once it does succeed, that inertia of ignoring security is hard to turn around until something bad happens…

The fact is, economics will trump security. Hell, economics trumps *safety* even (though few people like to talk about that). This is life.

That sounds exceedingly defeatist and cynical, and in a way it is. But it really, really helps keep a security geek sane by coming to terms with reality every now and then. That won’t stop me from always giving the ideal suggestions when asked for, or trying to gain as much security ground as possible when given the chance. Or strive for doing security correct in the first place.

If I got pissed off at everyone who had a security incident or lapse or who didn’t cover every hole and feasible issue, I’d be pissed off at everyone. Granted, there is negligence and stupidity…but….you get my drift, I’m sure.