Research on Information Assurance

Re: Research on Information Assurance

Very true - after all these years, they still have not found a patch that will fix "stupid".

I know end users can wreck things in no time, but personally, I always point to the programmers when things go wrong. Not all programmers suck, but too many of the ones making commercial OS's and software apparently do.

Re: Research on Information Assurance

Actually it's not programmers, it's all those damn hackers that keep breaking perfectly well written software.

Re: Research on Information Assurance

Xor - I totally get your line of questioning. I take no offense. I re-searched Information Assurance and got much better results. I think the problem I had was that I wasn't vague enough to allow the right stuff through the search filter.

To clarify my college class, it's the 2nd week of the first course, and we've been tought nothing in the field of IT as of yet. I have no background in IT, so I'm not familiar with any of the issues that exist anywhere in the IT industry, much less in IA specific areas.

AgentDarkApple - I found your research list from the post you started a month or so ago. I started looking through it and found a few places to start researching information in specific areas, so I thank you for that.

Thanks for the posts everyone. I'll post what I finally pin down soon ( I hope).

Re: Research on Information Assurance

Try this link:
http://www.infosyssec.net/infosyssec...ty/intdet1.htm

You should be able to find what you're looking for through here.

Re: Research on Information Assurance

This may have been intended as an ironic statement, but when I looked at that I thought, "He is right." (I am assuming by percentages of computer professionals that you are a male. I apologize if I am wrong on that.)

Older code may have been at one point very secure. It may no longer be secure for many reasons. Below I made a list of just a very limited few:

• There is a vulnerability in third party code that will let you manipulate the system.
• There is a vulnerability in the language that was used itself
• That particular vulnerability was unknown or not even discovered yet
• Ridiculous tight deadlines force the developer to make the software "just work"
• The vulnerability is in the database and not the software
• The vulnerability is in the business rules the programmer is forced to use
• The vulnerability is in the protocol used. (ie. SSH vulnerabilities)
• The programmer is informed the software is intranet only, and upper management finds security unimportant
• Security is not budgeted, and upper management finds it unimportant

Re: Research on Information Assurance

You are right that all of these are contributing factors. I think inherent problems with the programming languages used are a big one. And the fact that the compiler sometimes screws things up. I also think that not enough of the training materials for programmers stress the importance of making security a priority. It's all about the money and the deadline.

Still, I feel that once a vulnerability is discovered, too many software companies would rather issue patches and kick some dirt over it rather than performing a causal analysis and actually fixing the true problem.

Re: Research on Information Assurance

Ha, there are rarely training manuals for software developers. O'Riley is often their only manual. There is rarely any formalized training at all. In most companies they put you next to a PC (with 512MB of memory) in a bland cubicle, and say, either "build me feature X on product Y using the existing technology" or "Build me product Y." (Note the lack of requirements) Still they get a whole lot done.

I would say that the biggest problem in the system; however, is project management. Too many companies try to develop "agile" methods without actually knowing what that means. They use the wrong method for the wrong project. Some sections can not be coded until other sections are complete.

Due to bad planning over 70% of software projects fail. Over 80% are behind schedule, and many go out corrupt and half finished. Near the end of development, when a product is obviously going to be behind schedule, the upper management will start cutting features in order to meet deadlines. Security is often considered a "feature" by upper management. Do you see where I am going with this?

Re: Research on Information Assurance

Good point - it sounds like there is a breakdown in communication and a lot of the project managers have no idea what is involved in the actual coding, therefore giving them unrealistic expectations, especially where time is concerned. It just baffles me that security is not given higher priority though

By "training materials", I was referring to O'Reilly books. It seems that even formal college programming classes often rely on O'Reilly. The O'Reilly programming guides I have read drove the point home about deadlines and customer expectations but did little to push security.

Re: Research on Information Assurance

After next month, I can probably talk a little more publicly about an issue I've been working with regarding exactly this issue. Security was never implemented, not at the programming level or at the IT level of the provider of the software. I discovered glaringly obvious security deficiencies in their system and reported it to them. They've been working with this exact same system for more than 10 years, and not one person at their company apparently ever gave security a thought. Even with all the news reports over the past decades that directly addressed all the issues I found.

When I presented them with my findings, they were absolutely gobsmacked, and actually admitted that they knew about most of the issues I presented, but had never done anything about it. Now they're trying to play catch up. What's worse, is their marketing department had posted a 'security statement' on their website saying that things were being done, but in reality their IT department wasn't doing, nor did they know they were supposed to be.

It's basically a lack of communication between departments that causes many issues. IT many times is aware of security issues, but fails to relay those concerns to development, plus I've found that developers many times know very little about computer technology in general. They know how to write code, but that's about the extent of their knowledge.

Re: Research on Information Assurance

/me snickers like Muttley

Re: Research on Information Assurance

It's so much easier and cheaper to place security in programs at design. After implementation, it takes so much more work to make software secure.

There is a 1-10-100 rule in software development. If it costs $1 or 1 hour to develop in planning, it will cost $10 or take 10 hours to fix after design, and $100 or 100 hours to fix after implementation. So a $500 fix in security at planning will end up costing the company $50,000 after implementation.

These companies don't realize that it is actually much cheaper for them to put the security in the software in the first place.