Ostrich Based Security

Security, it is one of those hot button issues. Lots of companies like to pretend they are security conscious. One particularly troubling trend is the suppression of vulnerabilities which are discovered during development. It is a nice story for a company to be able to go to be able to say to potential users, “We have no known vulnerabilities.” This statement is actually meaningless:
  1. The company could be lying.
  2. The company may have not looked for vulnerabilities but fixed the few they randomly stumbled on.
  3. The company may have actively tried to limit vulnerability test so as to prevent vulnerabilities from being found.
  4. The company may have actively looked for vulnerabilities and fixed all that they found.

 

For the sake of argument lets assume the company is not lying. Of the three remaining options option four is the most expensive by far. Thus there is a large disincentive for the company to do this. Of the two remaining options the third is the cheapest whilst the second is the most ethical. However, it is a very short leap for a company to go from option two to option three. So long as no one within the company looks for security issues it is unlikely that any vulnerabilities will be found. If someone does begin to look for security holes maintaining the no known vulnerabilities line becomes much more expensive. The charade of security can only be continued if the company commits much more resources to fixing the bugs, or moves to options one or option three. Of these choices I believe option three is the most likely. It offers a shallow level of ethical comfort while being extremely cheap to continue to support.

Right up until the point where the company is hacked for real by a group of teenagers.

Previous Post