RE: The biggest thing affecting software security? People, apparently.

Imho, it is sometimes easier to use technology to 'cover up' and address
threats arsing from human mistakes and foibles via automation, rather than
try the 'educate and proceduralise everything' approaches. e.g.
- coding mistakes
- configuration mistakes
- lax patch management
- poor password choices
- opening/running malware
- exec/mamanegment directing poor environment security onto IT teams
- dis-affected employees and users/customers
- <insert your favourite security errors here>


Lyal

-----Original Message-----
From: Nick Murison [mailto:nick@urgusabic.net] 
Sent: Thursday, 30 June 2005 1:09 AM
To: webappsec@securityfocus.com; sc-l@securecoding.org;
secprog@securityfocus.com
Subject: The biggest thing affecting software security? People, apparently.


Hi all,

www.threatsandcountermeasures.com just closed their poll on what people
thought was the biggest thing affecting software security.  The results
were:

People:     80.3%
Process:    18.2%
Technology:  1.5%

Results also available from
www.threatsandcountermeasures.com/PastPolls.aspx.

If this is the case, then why is there such a huge financial investment in
security technology?  Is the human factor expected to magically improves
once we've got the "right" technology?

For our new poll, Threats and Countermeasures are asking what people
consider to be the more secure web application development platform; JSP,
PHP, ColdFusion, ASP.NET or old-skool CGI.

Best regards,
-- 
Nicholas John Murison
~~~~~~~~~~~~~~~~~~~~~
http://www.urgusabic.net