Product Security Evolution
The Emergent Chaos Jazz Combo has a post on vendor liability as part of the solution. I agree that liability may indeed be part of the solution, but what about the market? I know that software is likely to remain a market for lemons, but Oracle's recent public security problems are there for all the market to see and react to. Will Microsoft's attention paid to security in recent years pay off in more market share, and will in turn drive Oracle to focus more seriously on their own security? Companies that invest large amounts in databases typically have assets which can be used to engage in a deeper analysis of the product through analyst groups than a consumer would in assessing a email client for example.
Update: Bruce Schneier weighs in on the side of assigning liability to the vendor not the developer. Liability is part of a long term security improvement scenario, but what about when the configuration is at fault not the product, per se?
I think the configuration question is a fascinating one. There are lots of questions of the "too many dialog boxes" problem, of documentation which goes unread, etc.
Posted by: Adam | October 21, 2005 at 02:17 PM
Of course, security products are often chief culprits in the space of complexity. There are access management products widely deployed that require 12+ logical servers in order to function. So to do basic authentication and authorization for your web app you need to install and configure a LDAP server, web server, database servers, and so on, just for the access management piece. Does anyone think that adding 12 servers on top of three tier app is making things more secure? Seems like a lot of assumptions that all those additional servers are vulnerability-free and configured properly.
One of the reasons, I think federation is a positive step in the industry is that federation simplifies the integration of security credentials among sites, so instead of relying on configuration, mapping, and coding all done as one-off custom solutions we can have a well understood set of deployment and usage patterns based on industry standards.
Posted by: Gunnar | October 21, 2005 at 07:54 PM