I see that HTC got finally whacked over the head for the lack of security in their Android smartphones. I will have to contain myself here and will leave aside the inherent issues surrounding Android, its security and model of operation that will hurt … Ok, ok, I stop now. So, HTC got dragged into a court in US for improper implementation of software that allows remote attackers to steal various data from your smartphone. Big news. Problem is they settled and are not likely to actually do something about it. Anyway, that’s not interesting.
The interesting thing is that the regulators complained that HTC did not provide security training to the staff and did not perform adequate security testing:
The regulator said in a statement that HTC America “failed to provide its engineering staff with adequate security training, failed to review or test the software on its mobile devices for potential security vulnerabilities (and) failed to follow well-known and commonly accepted secure coding practices.”
Most companies ignore security hoping that the problem never comes. This shortsighted view is so widespread I feel like Captain Obvious by repeatedly talking about it. But I suppose it bears repeating. The security risks are usually discarded because they are of low probability. However, their impact is usually undervalued and the resulting risk analysis is not quite what it should be. The security problems prevalent in software are usually of such magnitude that they can easily cost even a large business dearly.
Ignoring security is not a good idea. This is like ignoring a possibility of human death by being trapped in an elevator for an elevator company. An elevator company will do all it can to prevent even a remote chance of this happening because if something like that happens they can be easily out of business in no time. Quite the same approach should be taken for granted by software companies, and the sooner, the better. A security problem can put a company out of business. Be forewarned.