Feeds

As Emperor of Security, I hereby decree...

Benovolence is my middle name

  • alert
  • submit to reddit

SANS - Survey on application security programs

Fines for insecure software

Bruce Schneier has often written about economic externalities, in which "the cost of a decision [is] borne by people other than those making the decision". In other words, companies creating software don't really suffer financially when their software products ship with massive insecurities in them. This needs to change.

If a company ships software that proves to be insecure, perhaps in some critical way, it'll be fined. The fines will based on a percentage of yearly revenue, and it will be a big enough percentage to hurt. There's one exception to this rule: if the software is released under an open source license (as determined by the Open Source Initiative), then there's no fine. (Ed: Is this because they have no money?

Organisations entrusted with your data will be held accountable

Another result of the current reality in economic externalities in security is the almost constant loss of personal and financial data due to carelessness and hacking. It's reached epidemic status, and it too needs to stop. The solution is similar to that in the previous decree: fines keyed to the organisation's yearly revenue. In addition to fines, however, these organisations will have to reimburse the people whose data was lost or stolen. A few large fines and reimbursements, which will lead most definitely to some firings, and I guarantee that security in this area will improve.

Mandatory disclosure of data loss and hacking

Of course, along with massive fines comes mandatory disclosure. If a company loses data, or is the victim of a security breach, it must reveal this to the public. A website will be set up to list these organisations so that they can be publicly shamed, and the amount they paid in fines will also appear there. California has such a law, without which the public would never have known about some particularly egregious data losses that a few companies incurred. A national law would go the next step to help inform people while holding companies accountable.

Mandatory anti-virus, anti-spyware, and firewall software

If you drive a car without changing the oil, eventually you'll destroy that car. Likewise, if you use a computer without anti-virus, anti-spyware, and firewall software, eventually you'll destroy that computer and hurt others as your infected machine spews malware and spam onto the net. When computers first boot, users should be offered the choice of several different anti-virus, anti-spyware, and firewall software packages, including ones that they install themselves, to preserve competition. Instead of 30 or 90 days, this software should be good for a year. How many people today buy new computers and don't buy the subscription after 90 days? As the end of that year approaches, users should be warned repeatedly that they must upgrade. No upgrade, no net access...except to sites offering upgrades. No anti-virus, anti-spyware, or firewall software, no net access...except to sites offering this software.

DRM cannot be used to deny fair use or first sale

I recently wrote a column explaining that DRM as currently practiced is a disaster not only for users, but also for the companies trying to use the technology. To solve those problems, DRM should be allowed, but it cannot be used to deny fair use or first sale rights.

Briefly put, the right of fair use says that I can use copyrighted materials in ways that the copyright owners may not intend or desire - for educational use, say, or for reviews or critique - while the right of first sale says that I can transfer to another person or entity a copyrighted work without asking permission first. If DRM prevents someone from exercising fair use or first sale, it's verboten; otherwise, it's OK. If you want to use DRM to protect your company's financial records, that's fine; if you want to use it to keep me from backing up my DVD or transferring songs I bought to a friend, that's not allowed.

That's it...those are my decrees. Some of you will call me mad, some of you will accuse me of megalomania rivaled only by the Roman emperors of old, and some of you will see things that I left out. Perhaps my ideas are crazy, but they're at least enough to spark discussion about solutions. And as a benevolent dictator, I choose to emphasise the word "benevolent" - if we try an idea for a while and it doesn't work, I'm more than willing to try something else. Finally, I urge you to propose your own ideas. If you were emperor of the security world, what would your orders be?

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Scott Granneman is a senior consultant for Bryan Consulting Inc in St Louis. He specialises in internet services and developing web applications for corporate, educational, and institutional clients.

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.