• #security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!

Brainwashing in security

At first, when I read the article titled Software Security Programs May Not Be Worth the Investment for Many Companies I thought it was a joke or a prank. But then I had a feeling it was not. And it was not the 1st of April. And it seems to be a record of events at the RSA Conference. Bloody hell, that guy, John Viega from SilverSky, “an authority on software security”, is speaking in earnest.

That’s one of those people who are continuously making the state of security as miserable as it is today. His propaganda is simple: do not invest into security, it is a total waste of money.

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

And following the suit was the head of security at Adobe, Brad Arkin, can you believe it? I am not surprised now we have to use things like NoScript to make sure their products do not execute in our browsers. I have a pretty good guess what Adobe and SilverSky are doing: they are covering their asses. They do the minimum required to make sure they cannot be easily sued for negligence and deliberately exposing their customers. But they do not care about you and me, they do not give a damn if their software is full of holes. And they do not deserve to be called anything that has a word ‘security’ in it.

The stuff Brad Arkin is pushing at you flies into the face of the very security best practices we swear by:

“If you’re fixing every little bug, you’re wasting the time you could’ve used to mitigate whole classes of bugs,” he said. “Manual code review is a waste of time. If you think you’re going to make your product better by having a lot of eyeballs look at a lot of code, that’s the worst use of human labor.”

No, sir, you are bullshitting us. Your company does not want to spend the money on security. Your company is greedy. Your company wants to get money from the customers for the software full of bugs and holes. You know this and you are deliberately telling lies to deceive not only the customers but even people who know a thing or two about security. But we have seen this before already and no mistake.


The problem is, many small companies will believe anything that is pronounced at an event like the RSA Conference and take it for granted that this is the ultimate last word in security. And that will make the security state of things even worse. We will have more of those soft underbelly products and companies that practice “security by ignorance”. And we do not want that.

The effect of security bugs can be devastating. The normal human brain is not capable of properly estimating the risks of large magnitude but rare occurrence and tends to downplay them. That’s why the risk of large security problems that can bring a company to its knees is usually discarded. But security problems can be so severe that they will put even a large company out of business, not to mention that a small company would not survive any slightly more than average impact security problem at all.

So, thanks, but no, thanks. Security is a dangerous field, it is commonly compared to a battlefield and there is some truth in that. Stop being greedy and make sure your software does not blow up.

Comments List

Sven Türpe2013-02-28 10:37 /

I believe he's right. There will be bugs, no matter how hard you try. In other words, as your investment in bug hunting goes to infinity, the number of bugs will not go to zero.

tigr[ino]2013-02-28 16:53 /

The problem is that he advocates not even trying. "Security is a waste of money" is not something I would like to hear from a company that I would buy anything from. How would you feel if your car manufacturer or house architect would say the same? "Oh, well, whenever the second floor ceiling comes crashing down on your head, let me know, we'll try to fix it somehow. Properly calculating and building your house from quality materials is too expensive and is a waste of money..." "Yes, you are right, the breaks are not tested at all, actually, although they seem to work most of the time. If you find some serious trouble there we will see what we can do. You know, it would be a waste of money to try and find out how well they work before anyone actually complained, would it not?.. Yes, the smell of the fuel may or may not go away but if your car ever blows up, please, submit a bug report then." "Thank you for banking with us. Your acount was emptied out? Your account number and the PIN code are published on our web site just in case you forget them. No, you do not need any identification if you come to withdraw money. We do not think anyone ever does withdraw from someone else's accounts. And the sum withdrawn from your account was not sufficiently large to warrant an investigation, no. Please, come back when you lose more than a petty few thousand."

Strategic direction: security ebb | Aruberusan News2013-03-13 18:33 /

[...] their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory [...]

tigr[ino]2013-03-28 07:47 /

Some more on the subject: http://www.sys-con.com/node/2587309

Apple – is it any different? | Holy Hash!2013-03-30 08:03 /

[...] be turned into bonuses and raises for the management. And the risks are typically ignored as I already talked about [...]

Strategic direction: security ebb – Aruberusan2014-09-05 09:36 /

[…] their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory […]

Secure the future – have a change of mind! | Holy Hash!2014-09-24 06:03 /

[…] more than quality. Security is even less visible and its impact is even further in the future. Many managers show short-sightedness and ignore security to concentrate on what brings money in today and tomorrow. But is that a good […]

Don’t patch it, it’s fine? – Holy Hash!2020-08-21 12:06 /

[…] publicly calling to stop the investment in security and avoid fixing security bugs in my article Brainwashing in security. There, we witnessed the head of Adobe security, Brad Arkin, tell us that the companies should not […]

Leave a Reply

Your email address will not be published. Required fields are marked *