Fixing Security Through Obscurity?

LineNoiz asks: "I work as a junior developer at a small company that sells check printing software. One of my company's favorite things to tell customers is how secure our product is and how it will reduce check fraud (we even sell check fraud insurance). I cringe everytime I hear them say it, because I know that it is 'secure' only because of it's relative obscurity. I personally know very little about security, and really have no idea what it would take to make our product secure. All I really know is that this is a problem waiting to happen. How can I convince my managers that our security is nothing to brag about? How can I convince them to spend the time and money to make it secure? Where can I myself go to learn more about security and what it would take to make/keep it secure?"

convincing the managers

[Tumbleweed]

> How can I convince my managers that our security is nothing to brag about?

The risky way would be to create and demonstrate an exploit. Et voila, they're convinced.

Of course, you run the risk of being replaced by a security-knowledgable programmer once you do so. :)

To help you convince them, learn about security, and present a fix for the problem. Then tell them they can REALLY go crazy on the security promotion aspect once they do so. Help them sell the product, and you may be sitting in the cat-bird seat, whatever that is.

Sounds like a very secure system to me

[MerlynEmrys67]

As a customer, I use your software - if there is a vulnerability, your company comes back in and reimburses my costs for the vulnerability... Sounds perfectly secure to me ?

Go and write a million lines of security software and don't provide the guarantee - it isn't worth as much to the customer.

What you have to realize is that it is an easy equation for your company

How many reimbursements do they have to pay out on an annual basis. vs. How much will it cost to lower that number.

I am betting they are paying out pretty close to 0 in reimbursements (which is why they are advertising this)- how much of your salary will it take to make the product even slightly more secure ?

Just forget it

[crstophr]

Why rock the boat in this economy? You could be fired just because you pissed someone off. It's not worth the risk. Be happy you're working! I know it really bothers you, but not as much as missing those paychecks will. If you really need to, create one simple, nicely worded email outlining your concerns, and send it to the manager in charge. Keep a copy for youself. If in the future something does happen you can say, "see, I tried to warn you but you didn't listen. Here are my ideas for preventing it in the future..." --Chris

Re:Just forget it

[Acidic_Diarrhea]

That's a great way to move up the corporate ladder - sit on your ass, do exactly what you're told, and never EVER take some initiative on your own.

Wow, are you available to work? I'd LOVE to hire you!

Looking out for the company's best interests, outside of your own small role, shows that you are interested in the company doing well and, even if nothing comes of it, will help when promotion time comes around.

Re:Missing the point

[greenhide]

I guess they have some sort of software which allows people to order cheques remotely

That's not the impression I got.

This guy was really vague about the security concerns he had -- I guess he must believe in the "security through obscurity" method. :-p

Frankly I think this was way too generic of an Ask Slashdot. If he'd said whether his security concerns were regarding the products that we sold (and again, since they're pieces of paper I'm not sure how you can "secure" them), the software used to print the checks (hmmm...I bet the banks will still take it if you write out the name and price by hand!), or the network at his company.

He admits to not knowing anything about security (If a geek says they know a "little" bit about something, that means that they have heard the term).

And, really, what answer does he want? Something like "Go to your favorite online bookstore. Search for 'computer security'. Order the results by 'Customer Rating'. Purchase the first 5 books in the list. Read them through."? We certainly can't offer him any "security" suggestions, since we don't know what his security problems are.

Here's an similarly vague question:

Ask Slashdot:
Greenhide writes "I'm bored. Someone told me it is bad to sit on my ass all the time, but maybe I'm not good at sports (I don't know!!)? What should I do?"

Some poeople have pointed out that it seems like almost any kind of Ask Slashdot is getting posted even when the answer has a googleable answer or is excessively vague. Personally, I think Ask Slashdot should only be to start a general discussion ("What would be an effective yet fair way to protect media copyrights?") or to answer non-trivial questions ("I am trying to modify an old dorm refrigerator so that I can use it as a cooling system for my overclocked PC. Does anyone know what tools and steps I could take? Is it safe to take apart a fridge?")

Re:Just forget it

[Anonymous Coward]

A side bar for this. I was working on for a parts distribution company. The software used locking so that someone left an order open with spark plugs and went to luch within 1 hour every Sales persons computer was locked waiting for this one person to come back and complete or cancel their order.

I outlined the faults in a less than subtle way to the GM with general solutions on how to solve this (pick what you lock, update and subtract, etc). I was fired within the week.

6 months later I read of a million dollar writeoff by the company for software.

Be careful what you say and have another job lined up. If you are a junior and you have taken it up then just drop it and keep fixing the problems you can see as you get a chance. Read up on secure programming and be prepared to answer questions when asked. Learn to push gently, or get very thick skin and pray you are bright enough to weather the storm you might brew up.

If they wont listen and you care enough then you should find another job. Better to be happy at work you spend enough time there.