• #security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!

Apple – is it any different?

The article “Password denied: when will Apple get serious about security?” in The Verge talks about Apple’s insecurity and blames Apple’s badly organized security and the absence of any visible security strategy and effort. Moreover, it seems like Apple is not taking security sufficiently seriously even.

“The reality is that the Apple way values usability over all else, including security,” Echoworx’s Robby Gulri told Ars.

MoneyIt is good that Apple gets a bit of bashing but are they really all that different? If you look around and read about all other companies you quickly realize it is not just Apple, it is a common, too common, problem: most companies do not take security seriously. And they have a good reason: security investment cannot be justified in short-term, it cannot be sold, and it cannot be turned into bonuses and raises for the management. And the risks are typically ignored as I already talked about previously.

So in this respect Apple simply follows in the footsteps of all other software companies out there. They invest in features, in customer experience, in brand management but they ignore the security. Even the recent scandal with Mat Honan’s life wipe-out that got a lot of publicity did not change much if anything. The company did not suffer sufficient damage to start thinking of security seriously. The damage was done to a private individual and did not translate into any impact on sales. So it demonstrated once again that security problems do not damage the bottom line. Why else would a company care?

We need the damage done to external parties to be internalized and absorbed by the companies. As long as it stays external they will not care. The same thing exactly as the ecology – ecological cost is external to the company so it would not care unless there is regulation that makes those costs internal. We need a mechanism for internalizing the security costs.

Comments List

Sven Türpe2013-03-31 12:27 /

Internalize the security costs to whom? Wouldn't the most natural party to bear security costs be the attackers, rather than their victims or the vendors their victims happen to procure their technology from? After all, they take the profit. For everybody else, it's just a lose-lose situation: forced to spend on involuntary losses, or forced to spend on security, or any combination of the two.

tigr[ino]2013-03-31 12:43 /

You are pointing out an important and significant difference in the situation set-up between ecology and security. You are right, our situation is more akin to the situation with the normal crime, like burglaries. Consider this: we have a construction company, a person who lives in a house, and a burglar. Then the situation is very similar. Why does not burglary get out of hand? Because there are punishments that keep potential costs for the burglar high, internalizing for him the costs to the society in effect. On the other hand, this deterrent is not sufficiently strong to allow us to stop using locks. So in effect the cost of their profitable behavior falls to two parties: the burglar and the person. Strangely, there does not seem to be any cost for the constructor at all, even if he makes houses of thin paper. What you would say is that the situation with the software security should be the same. Costs are born by the attacker, if caught, and by the defender but the software manufacturer absolves all responsibility. Unfortunately, so far it does not work at all. So perhaps the system with the software is not quite the same as with houses. Perhaps, other ways should be sought to improve the situation? Maybe, one day we will have such quality and choice of software that we will be able to absolve the software manufacturers of direct responsibility. But as long as we have a choice between vaguely functional insecure software and obviously disfunctional insecure software, I think the software manufacturer should be made responsible.

Sven Türpe2013-04-03 07:09 /

The constructor makes whatever the market demands, whether it's paper walls or reinforced concrete. As regards houses, most of them are terribly vulnerable to burglary (and you're probably safer at work than at home). However, I doubt we would be better off improving their security -- there isn't enough burglary to justify the cost. What exactly do you think is different with software?

tigr[ino]2013-04-03 09:23 /

So you are taking my analogy to argue that the software _should be_ insecure? Then it is a wrong analogy. Houses are not terribly insecure. They are fairly secure for their environment. If you go to places with high burglary rates you will notice high concrete fences with broken glass on top and locked gates. Where you live it is likely sufficient to have a door that shuts tightly. The software we get is not sufficiently secure for the environment we use it in. That's the difference.

Sven Türpe2013-04-03 11:06 /

Oh, it isn't? How many times did you get hacked last year? ;-)

tigr[ino]2013-04-03 11:12 /

That is the thing. I do not know. If it was detected, I would be able to tell. But I did not detect any break-ins, so I cannot say.

Leave a Reply

Your email address will not be published. Required fields are marked *