Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Security's #1 Problem: Economic Incentives
Threaded  |  Newest First  |  Oldest First
rrwillsher1974
50%
50%
rrwillsher1974,
 User Rank: Apprentice
9/25/2017 | 10:27:44 AM
internet sercruits
its very smimple to fix all you have to do is get an audit done and emprove on the ave score 200/400. to do this to a score off 400 would stop alot off pppl useing the cracks in programs to do whot ever thay do.

also ppl are not useing a direct attack on ppl but rather useing other ppls web sites we vist as a point off entry ie cookies,poor audit scores, paying for ur padlock form digigroup and not doing your job properly.

you all are lasy devs and programers just because a program says it ok doesnt mean ur dont ur job.
Dr.T
0%
100%
Dr.T,
 User Rank: Ninja
9/26/2017 | 2:37:09 PM
Re: internet sercruits
“its very smimple to fix all you have to do is get an audit done and emprove on the ave score 200/400” It makes sense however most audit would not catch most vulnerabilities. It needs to be intensive pen test.
Dr.T
0%
100%
Dr.T,
 User Rank: Ninja
9/26/2017 | 2:38:42 PM
Re: internet sercruits
“you all are lasy devs and programers just because a program says it ok doesnt mean ur dont ur job.” That might be true, mostly less about laziness more about not having enough time to check and re-check.
rrwillsher1974
50%
50%
rrwillsher1974,
 User Rank: Apprentice
9/26/2017 | 3:06:49 PM
Re: internet sercruits
It's simple just ask there will be a nominal cost, overheads and expenses
Joe Stanganelli
100%
0%
Joe Stanganelli,
 User Rank: Ninja
9/29/2017 | 4:37:10 AM
Re: internet sercruits
At the same time, a good audit score isn't the same thing as having good security practices. I can't tell you the number I've times I've observed enterprise environments/scenarios where people "check the box" when they aren't actually doing the thing that they're checking the box for.
rrwillsher1974
50%
50%
rrwillsher1974,
 User Rank: Apprentice
9/29/2017 | 7:00:34 AM
Re: internet sercruits
Lol lol lol audit is gd it tells u if the basics are done but u can still see irregular file names in script http they just found a new way
rrwillsher1974
50%
50%
rrwillsher1974,
 User Rank: Apprentice
11/16/2017 | 2:13:30 AM
Re: internet sercruits
The audit is there to show some off the holes in the http. This is a way to improve securities after that u have to go to the script and see what phishing and hack files have been put into the original http also a better cookies policy to stop remote access
martin.george
50%
50%
martin.george,
 User Rank: Apprentice
9/25/2017 | 11:17:12 AM
Great post
That is totaly great est post I have seen here) 
Dr.T
100%
0%
Dr.T,
 User Rank: Ninja
9/26/2017 | 2:39:30 PM
Re: Great post
Yes, it is a great article pointing out major loop in whole software development process.
xanthan99
100%
0%
xanthan99,
 User Rank: Strategist
9/25/2017 | 3:41:11 PM
New Problem same discussion
This article brings back memories of numerous discussions from 15-20 years ago about how to adhere to the SDLC in the fast paced world of the Internet.  I'm not truely sure we ever came up with a solution for that either, reference the iOS 11 update over the weekend.  Security can't be something we leave to the whim of happenstance theory.
Dr.T
100%
0%
Dr.T,
 User Rank: Ninja
9/26/2017 | 2:41:09 PM
Re: New Problem same discussion
“This article brings back memories of numerous discussions from 15-20 years ago about how to adhere to the SDLC in the fast paced world of the Internet” I would agree. It is an old question without a proper answer yet.
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
11/22/2017 | 5:34:12 PM
Re: New Problem same discussion
Glad you brought up that accursed iOS update. Tech people preach to the hoi polloi that they should emphasize security over accessibility/usability by jumping through all sorts of password and other authentication hoops...and yet developers rush terrible updates through to release just to get some pet features out.

This is also an issue in open source -- where feature creeps are far more prevalent than passionate security testers.
Dr.T
50%
50%
Dr.T,
 User Rank: Ninja
9/26/2017 | 2:34:42 PM
Software development
I would agree with the article. There has to be a better way to develop application so there is incentive to develop secure applications.
moberdacker152
50%
50%
moberdacker152,
 User Rank: Strategist
9/28/2017 | 12:49:35 PM
Re: Software development

This may be slightly off topic, but this kind of thing is exactly why I don't yet own a thermostat, or refrigerator with internet connectivity.  I love the idea of them, but as far as I've been able to tell so far, not one IoT device has much, if any built, in security.  Unfortunately, this doesn't stop enough people from buying them though to force the manufacturers to produce secure IoT appliances.

 

The way it is now the companies developing the software seem to feel features trump security.  I don't know of a software developer that produces software that is very secure but with fewer features than their competitors'.  They're afraid to try, because if it doesn't work, they could end up not being able to recover financially.  Personally if I had the choice between a secure software product with the basic features I need and an insecure one with nice to have features I'd choose the secure software every time, assuming similar costs.

Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
9/29/2017 | 4:40:11 AM
Re: Software development
I'm not so sure it's off topic considering this is pretty much the same thing I thought of at first too.

Consumer IoT security flaws proliferate because of the lack of economic incentive to go the extra mile to prevent/fix them. If your fridge gets hacked for use in a botnet, it still works as a fridge just fine.

This is why many have called for legislation/regulation in this area. Meanwhile, some enterprises/professionals are trying to get industry to unite around standards so that they can avoid government stepping in.
rrwillsher1974
50%
50%
rrwillsher1974,
 User Rank: Apprentice
11/15/2017 | 1:55:04 AM
Re: Software development
I have found a new company in London that has developed an interesting way to stop ppl from hacking. Also there are the basics ppl need to learn is keep virus ECT up to date several times a week, use an old system to security check usbs cds ECT check cookies for remote controls ie c. ECT when using public networks there's so many ways to be hacked but it's just as much fun to make there life hard my version off chrome has started killing some scripts so it's just a war that maybe won one day if enuf ppl start learning to defend themselves and not just relies on progs to do all the work computers have to be maintained
jacekmaterna
100%
0%
jacekmaterna,
 User Rank: Apprentice
9/27/2017 | 11:27:04 AM
moving security to the "left" in SDLC will never occur without $ incentives-
Security in the SDLC has long be an after-thought. Why would it be any different? Business owners are rewarded for KPis on speed and releases over quality. Few firms today operate in reverse. Why? Because the marketplace demands more speed and more features faster than the day before. Impossible to change that macro environment. Best that could happen is that some combo of regulation comes in to move risk management and security to the "left" - its 10x cheaper to find issues in the source code than when to do it after the products are deployed globally, etc. Human nature will always take least resistent path. I am no fan of regulation but in this case there needs to be some to create value in security in the SDLC - incentive via $$ impact will get business owmners attention. GDPR is a great step- it has real teeth (albeit being super vague).
Joe Stanganelli
50%
50%
Joe Stanganelli,
 User Rank: Ninja
9/30/2017 | 12:25:38 PM
Commercial
> We know how to do that, but there are many pages of specifications requiring several days of work that produces no "new feature." In other words, there is no value in this activity for the business.

This may be one of the fundamental disadvantages of open source compared with proprietary.

Commercial developers of software do have an economic incentive to do a lot of this with their systems. Open-source contributors? Not so much necessarily. Therefore, open-source systems may thus put this onus on the enterprise customer...who generally almost certainly doesn't have the resources to invest in this stuff.

(To be fair, companies like Red Hat and Mirantis, which provide support for their builds/"flavors" of open-source software, also have this incentive to an extent because of their support contracts/business model. Commerce makes the world go round.)


COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.