« Web services security design patterns webinar | Main | Upcoming Talks and Training »


Gene Spafford

There's some validity to this argument. We have not done a very good job from a usability standpoint. But as others have pointed out, it is also partly caused by a lack of willingness to invest without imminent threat.

As an example, we continue to do most of our programming in C and its kin. That is also where the bulk of our operational code (for interactive systems) lies. Yet, that really is not a good language to build in -- it is difficult to map to specification systems, it allows too many preventable mistakes (e.g., buffer overruns), and the semantics doesn't support comprehensive testing. There are better language systems, but they aren't used. Why? Largely inertia and cost.

Lots of other examples out there if we look. But they require a more fundamental and sweeping change than perhaps you were contemplating in your post. We simply don't have the impetus, as a society, to make those changes. Yet.

However, I won't claim that all problems are solved. There is much more to understand (including interfaces for the average user). But we do know how to prevent lots more than we are right now.


"But we do know how to prevent lots more than we are right now."

Could not agree more.

Christofer Hoff

G-Money...(that's your street name, in case you didn't savvy)

I think a distinction needs to be made wherein Spaf didn't say we knew how to "operationalize" the solutions to these problems or that the solutions even existed in tangible form, but rather that we know "what" we need to do.

I think, as you allude, the next (and hardest) step is how.


The comments to this entry are closed.