Submission + - What is a way to get companies to actually focus on security? 1
ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11", a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.)
With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother", what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking", so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored.
In fact, I have seen some development environments where someone doing -anything- about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the devs gave thought to any permission model at all, they would be tossed, and replaced by other devs who didn't care to "waste" their time on stuff like that.
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure", or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.)
There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the US. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia which actually have heavy fines, as well as criminal prosecutions (i.e. execs going to jail)?
This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism.
Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother", what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking", so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored.
In fact, I have seen some development environments where someone doing -anything- about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the devs gave thought to any permission model at all, they would be tossed, and replaced by other devs who didn't care to "waste" their time on stuff like that.
One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure", or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.)
There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the US. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia which actually have heavy fines, as well as criminal prosecutions (i.e. execs going to jail)?
This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism.
Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
