Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Security's #1 Problem: Economic Incentives
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
rrwillsher1974
rrwillsher1974,
User Rank: Apprentice
9/25/2017 | 10:27:44 AM
internet sercruits
its very smimple to fix all you have to do is get an audit done and emprove on the ave score 200/400. to do this to a score off 400 would stop alot off pppl useing the cracks in programs to do whot ever thay do.

also ppl are not useing a direct attack on ppl but rather useing other ppls web sites we vist as a point off entry ie cookies,poor audit scores, paying for ur padlock form digigroup and not doing your job properly.

you all are lasy devs and programers just because a program says it ok doesnt mean ur dont ur job.
martin.george
martin.george,
User Rank: Apprentice
9/25/2017 | 11:17:12 AM
Great post
That is totaly great est post I have seen here) 
xanthan99
xanthan99,
User Rank: Strategist
9/25/2017 | 3:41:11 PM
New Problem same discussion
This article brings back memories of numerous discussions from 15-20 years ago about how to adhere to the SDLC in the fast paced world of the Internet.  I'm not truely sure we ever came up with a solution for that either, reference the iOS 11 update over the weekend.  Security can't be something we leave to the whim of happenstance theory.
Dr.T
Dr.T,
User Rank: Ninja
9/26/2017 | 2:34:42 PM
Software development
I would agree with the article. There has to be a better way to develop application so there is incentive to develop secure applications.
Dr.T
Dr.T,
User Rank: Ninja
9/26/2017 | 2:37:09 PM
Re: internet sercruits
its very smimple to fix all you have to do is get an audit done and emprove on the ave score 200/400 It makes sense however most audit would not catch most vulnerabilities. It needs to be intensive pen test.
Dr.T
Dr.T,
User Rank: Ninja
9/26/2017 | 2:38:42 PM
Re: internet sercruits
you all are lasy devs and programers just because a program says it ok doesnt mean ur dont ur job. That might be true, mostly less about laziness more about not having enough time to check and re-check.
Dr.T
Dr.T,
User Rank: Ninja
9/26/2017 | 2:39:30 PM
Re: Great post
Yes, it is a great article pointing out major loop in whole software development process.
Dr.T
Dr.T,
User Rank: Ninja
9/26/2017 | 2:41:09 PM
Re: New Problem same discussion
This article brings back memories of numerous discussions from 15-20 years ago about how to adhere to the SDLC in the fast paced world of the Internet I would agree. It is an old question without a proper answer yet.
rrwillsher1974
rrwillsher1974,
User Rank: Apprentice
9/26/2017 | 3:06:49 PM
Re: internet sercruits
It's simple just ask there will be a nominal cost, overheads and expenses
jacekmaterna
jacekmaterna,
User Rank: Apprentice
9/27/2017 | 11:27:04 AM
moving security to the "left" in SDLC will never occur without $ incentives-
Security in the SDLC has long be an after-thought. Why would it be any different? Business owners are rewarded for KPis on speed and releases over quality. Few firms today operate in reverse. Why? Because the marketplace demands more speed and more features faster than the day before. Impossible to change that macro environment. Best that could happen is that some combo of regulation comes in to move risk management and security to the "left" - its 10x cheaper to find issues in the source code than when to do it after the products are deployed globally, etc. Human nature will always take least resistent path. I am no fan of regulation but in this case there needs to be some to create value in security in the SDLC - incentive via $$ impact will get business owmners attention. GDPR is a great step- it has real teeth (albeit being super vague).
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Creating an Effective Incident Response Plan
Security teams are realizing their organizations will experience a cyber incident at some point. An effective incident response plan that takes into account their specific requirements and has been tested is critical. This issue of Tech Insights also includes: -a look at the newly signed cyber-incident law, -how organizations can apply behavioral psychology to incident response, -and an overview of the Open Cybersecurity Schema Framework.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-4194
PUBLISHED: 2022-11-30
Use after free in Accessibility in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
CVE-2022-4195
PUBLISHED: 2022-11-30
Insufficient policy enforcement in Safe Browsing in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to bypass Safe Browsing warnings via a malicious file. (Chromium security severity: Medium)
CVE-2022-4175
PUBLISHED: 2022-11-30
Use after free in Camera Capture in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2022-4176
PUBLISHED: 2022-11-30
Out of bounds write in Lacros Graphics in Google Chrome on Chrome OS and Lacros prior to 108.0.5359.71 allowed a remote attacker who convinced a user to engage in specific UI interactions to potentially exploit heap corruption via UI interactions. (Chromium security severity: High)
CVE-2022-4177
PUBLISHED: 2022-11-30
Use after free in Extensions in Google Chrome prior to 108.0.5359.71 allowed an attacker who convinced a user to install an extension to potentially exploit heap corruption via a crafted Chrome Extension and UI interaction. (Chromium security severity: High)