Vibrant European ICT security market?
Do you agree with me that the ideal situation would be not having ICT security market?
Do we want to strength the security market, or what we pursue is minimizing security risks? Europe needs to find solutions for reducing a huge part of the security problems from the root.
Most of the security threats when talking about vulnerabilities, exploits, malware, and a big etc. come from poorly written software. This is something with not so difficult remediation. Regulation, standardization and education comes to my mind.
Group audience:
Comments
Agree entirely
Agree entirely
It is true that a lot of "security" marketing focus on external security risks. Part of that is because this is the part of "security" that fuccs on surveillance and plug-on. I call this control-ware as it typically do little good and often more damage that is removed.
The more heavy security issues are resovled as part of basic design from the start. Security by Design means "no-issue" and thereby no marketing pr.
Consider the difference between in-car GPS navigation and a mobile phone with server-side tracking. THey basically solve the same problem, but the mobile phone is loaded with security problems that the in-car GPS navigation system do not have and risks it does not create.
Good security takes time but is worth it.
Problem is the strong interest in bad security - there is money in tracking, so why should security be considered?
The best way to prevent secure solutions is through standardisation, e.g. SIM-based mobile phones is all about gatekeeper business models instead of security.
The second best way to prevent comeptition and security is through regulation, e.g. Data Retention dictate no security favouraisng gatekeepers. Why?
One of the big questions right now is why SEPA (cross-eu payments) not make Digital Cash legal tender, ie. you have to accept Digital Cash payments to ensure Empowerment.
Answer this and you can go far in understanding the barriers for ICT Security.
Question: Could Open Source
Question: Could Open Source help in thos direction?
Open source is another
Open source is another dimension
E.g. Android is open source but still part of a system driven by "surveillance profits".
On the other hand e.g. SpiderOak is one of the better online backup models. Do we trust it?
What definitely is good is that some key security tools are made free - see U-Prove, TOR, Linksmart - a digital world without blinded cryptography and virtualised communicaton is a scary thought
Surely open software and
Surely open software and communities such as OWASP could assist towards improving secure software.
Regarding the development of secure code - software can you share any proposals or inspiring examples?
Well, my experience, as
Well, my experience, as University Professor, is that students get programming classes focusing on algorithms, style, and so on. But the lecturers of such classes are given without taking any kind of security in mind. Then, when I teach security, I must focus on systems, services, risk assessment, management, and software... so there is no time to cover software security as it should.
Enforcing Computer Science and Computer engineering curriculum with a basis of safe or secure programming should be necessary.
In my view not even most
In my view not even most "security" classes gets beyond some outdated PKI and identification which is actuall worsening the situation.
And around those that do, the focus is opon the more advanced technologies such as blinded cryptography without actually getting to analyzing and understanding the full multi-stakeholder security problem.
And the few centers around the world that actually get to this point are characterised by huge problems linking this with economics stalemating good technology understanding in special cases and "anti-xx" thinking.
Busines strategists, legal professionals, ICT operational, ICT development and particulaly maco economics and no basis for dealting rationality with questions suchs as security, privacy or trust.
As a consequence we see outcomes ,issing thewir targets with non-solutions often worsening the sitaution such as eIdentification, putting a "price" on personal data, biometric passport, "trusted computing", "do-not-track", "DRM for PRM"/sticky policies
I agree that the basis of
I agree that the basis of many security issues lies on application security. Everything runs with software after all. This problem however can be more difficult to solve than traditional IT infrastructure security. Software is complex and developers usually lack awareness, knowledge and most importantly time and direction to develop securely.
In OWASP, our mission is to make application security visible so that anyone involved in the software business can make informed decisions. Towards this goal we work on numerous projects, tools, guides, and documentation.
A full list of our projects can be found here: https://www.owasp.org/index.php/Category:OWASP_Project
For a start I would definitely recommend the OWASP Top10, the OWASP Secure Coding Practices and the OWASP ASVS.
Finally, in less than a month's time we're organizing the OWASP AppSec Research conference, the annual European conference where we discuss the latest and hottest advances in application security. You are all invited to join us. More information can be found here: http://www.appsecresearch.org
It is fine to work on better
It is fine to work on better quality of source code and trying to improve perimeter security.
It does not change the fact that there is an inherent difference in security where control has shifted from citizen to system and where it hasnt.
If e.g. the system has never had access to identify the citizen/devices, most threat scenarios are simply eliminated by design just as a real basis for trust has been established and reduced to focus issues scuh as availability and actual products/service quality.
Perimeter security simply wont suffice for e.g. cloud, Iot, healthcare etc.