[joe_the_user]

This theme keeps coming up. Some cohort of HN is upset that software manufacturers aren't directly required to produce "secure software" [1]

I would suggest people look at a very foundational essay on this [2]. Key quote: "Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. "

How many times do we have to learn this?

[1] In quotes 'cause "secure software" does not exist. In two different ways; software always has bugs and using a piece of software incorrectly makes a secure system insecure.

[2] https://www.schneier.com/essays/archives/2000/04/the_process...

[TheOtherHobbes]

Security is not a Boolean. It's on a continuum from "You must be fucking joking" (early versions of IE) to "Not perfect, but workable with training" (literal weapons-grade air gapping).

Perfectly secure software does not exist. More secure and less secure software certainly does exist.

Which is why software should be expected to provide some basic level of protection.

In any org there will be a proportion of idiots who cannot be trusted to do the right thing, and software should be designed to minimise the damage their idiocy can generate.

This isn't enough to make an org secure, but it's a good start on whack-a-mole with the most obvious attack vectors.

The real problem is that too much of the industry - both management and devs - lacks maturity and professionalism. There's too much casual hobby tinkering, too much "But that's too expensive", and too much "Get it out the door and worry about it later".

There isn't enough conscientious attention to detail and far, far too little understanding of the disastrous - literally potentially explosive - consequences of serious security failures.

And CS courses teach far too little of all of the above. Academic algo noodling is one thing. But the reality is that computers can literally be as dangerous as weapons - and should be treated as such.

[PeterisP]

Can you elaborate on what exactly do you mean by " software should be expected to provide some basic level of protection." ?

In some sense security is binary - if your software happens to have even a single mistake that results in RCE or authentication failure, then it's totally exploitable and does not provide any level of protection whatsoever. And as experience shows, we seem unable to write any software without such mistakes, even if we try really, really hard by skilled people with security in mind, as far as I recall every popular piece of software that needed to be secure has had vulnerabilities.

[closeparen]

You don’t have to perfectly secure in order to raise the bar past your adversary’s level of sophistication. But you do have to stop doing the same stupid shit that’s in easy reach of anyone who can program.

[joe_the_user]

Once a complicated exploit is known, it can be added the arsenal of any script kiddie.

This isn't saying you're wrong that quality can raise the bar. It's saying that time and context also lower the bar. Especially, not being subject to "that’s in easy reach of anyone who can program" not guarantee by any purely default action - notably not guaranteed by spending X dollars.

[AshWolfy]

Not every vulnerability will be exploited, most hacks use very simple exploits if at all. 80 percent of security can be achieved with 20 percent of the work

[g_p]

I think there's a couple of issues at play here.

Firstly there's the information asymmetry for non-technical users - they don't think of themselves as buying security, they think of themselves as buying a remote access solution. They therefore don't see this as a process, but instead as a product or solution. That means they're surprised and caught unaware when something goes wrong.

The second issue is that people creating the software aren't themselves thinking about security, because the customer isn't buying security, or comparing security. And how do you measure or quantify or observe security? There's no commercial incentive to invest a month in hardening a product against attack, unless that month of engineering effort sees more sales and revenues. And since the people who buy are satisfied by slideware and specification sheets for security, nothing changes.

I think we need a whole change to how we buy software, hardware, and solutions in general, to see this change. The underlying economics don't incentivise secure products, in fact they actively discourage them.

[kelnos]

Sure, but if you're going to sell a "security product" and then the security turns out to be a joke -- or even decent, but flawed -- you should be held responsible for it in some way.

Obviously it's difficult to draw the line, and that's why we have courts. The company will argue that they did all that was possible, but as sometimes happens, something got through; the plaintiff will argue that the company's software had serious flaws because they were negligent or cut corners or had poor development processes or whatever. However imperfect the process is, the court can render judgment case-by-case.

(Before someone suggests this, I'm not trying to say that a random open source developer who works on OpenSSL should be held liable here. But if you're selling a product, you should hold some liability for when that product fails.)

[closeparen]

Part of the process of security is to design and code with consideration towards potential vulnerabilities. Organizations that ought to care care about security, and even spend a lot of money on security, also buy a lot of bug-riddled crap to run on their “secure” networks. Firewall rules and Group Policies can’t fix everything.