Contributing towards a solution

Roger Halbheer, Chief Security Advisor for Microsoft Europe, Middle East, and Africa posted a comment last week in response to my post on "Operating Systems are only as secure as the idiot using it." Roger is looking for some open discussion on improving the security usability problem, instead of sitting back and complaining about it.

I have posted a response to his comment and Dre has also put some thought into his reply as well. Some highlights:

Security engineering is not easy, and history has proven time and time again that humans are infallible. We need to design secure systems from the ground up, taking account for every distant node of every network, both logical and physical. Take a banking application for example; not only does the site have to be secure and free of flaws, but also out-of-band channels used for transport communications, such as account creation, recovery, etc.

From Dre;

While reading, "Geekonomics: The Real Cost of Insecure Software" and speaking with people at Fortify Software, Veracode, Cigital, and MITRE... I'm sold on the concept of a five-star "software security assurance" rating system for both commercial and open-source software to solve the "stem" of this user+security problem...

...get the five-star rating system published everywhere, on the software boxes, in newspapers, magazines, and everywhere the product name goes. Make it a part of consumer reports; make it the most important part of consumer reports. Make sure that expiration dates are also published with the ratings, and have a place online where people can go to check all the latest information on their software security assurance ratings for all the applications that they use.

This doesn't even begin to touch the surface in Dre's post. Definitely check it out, it's a worthy read.

Posted by Marcin on Monday, November 19, 2007 in Security.