There have been quite a few stories lately about the crackdown on and punishment of hackers (real hackers, not kids who guess the password of a famous person’s social networking account). My question is when are we going to start holding the developers accountable?
Part of my job is to evaluate the security of applications before they are put into our production environment. These applications are from developers around the world for major companies’ global initiatives. I find myself time and again having to send the application back to the developing agency (sometimes more than once) for what seem like very elementary exploits.
Security should be a major concern in the digital age, we are fighting a war against those that would exploit weaknesses online applications to infect an unsuspecting user’s computer, steal information and make it part of a botnet that is meant to cause further damage.
I agree that users should be aware of these threats and take necessary precautions such as having some form of a firewall and anti-virus, but it seems like we are attacking the problem from the wrong direction. Catch and prosecute one hacker and 5 more will take his place and wreak havoc long before they are even noticed. It’s an uphill and losing battle.
There will always be an exploit, it is impossible to write any sort of complex program where an exploit cannot be eventually found. I’m not talking about those applications, but the applications that come across my desk every day. Most smaller firms don’t have someone like me standing in the way of releasing code with blatantly obvious exploits.
It is up to the developer to ensure that their application is secure. If the developer is unsure of how to accomplish this, then that developer shouldn’t be writing applications that deal with sensitive information or that have a large group of users.
I think it is time to bring the fight to the developers. If a developer knew that they could be held accountable if their application was hacked and eventually led to the loss of sensitive information or infected users machines, I think those developers would get knowledgeable about security and do their best to secure the application before releasing it into the wild, reducing the surface area of what can be attacked in the first place.
No comments:
Post a Comment