Let's discuss software security. Spurned by this article
The unveiling of the largest-ever U.S. cyber crime prosecution last week serves as a blaring siren for Corporate America to ramp up security and thwart complex attacks, but companies still seem to struggle to keep pace.
The problem has grown persistent over the last few years, with cyber evildoers illegally capturing billions of dollars worth of data and money from unsuspecting victims. In the most recent case, the criminals inflicted "hundreds of millions of dollars" in damages and stole 160 million credit card numbers over six years.
Sixty-four percent of organizations attacked in 2012 took more than 90 days to detect an intrusion with the average time for detection being 210 days – 35 days longer than in 2011, according to a report released earlier this year from data security firm Trustwave.
Five percent took more than three years.
Especially unnerving is the widespread success of SQL injections. Remote access and SQL attacks, the tool of choice by hackers in the scheme unveiled last week, together made up 73% of the infiltration methods used by criminals in 2012, according to Trustwave.
At some point, it becomes too costly to pay for the defenses necessary to stay far enough ahead of them, and that's when security systems become outdated.
"It would take a little extra time and money to make sure a system is secure, and many companies don't want to make that investment," he said.
Security is hard, expensive, and obtrusive.
Security conflicts with productivity, at least in the scope of the developer who is trying to accomplish task xyz, not thwart convoluted attack lmnop, stuv, and yabbayabbayabba.
Security is expensive. I don't think consumers would realize just how much the cost of technology goods and services would rise if the software industry made security a top priority and a top budget item (if needed) across the board.
Security is obtrusive. More software updates means more churn for an end user base that already complains with comments like "another update again <insert rolled eyes/>".
Yet security is needed.
Is this era of heightened attacks conveniently in sync with the race to the bottom in TCO (total cost of ownership)? Is security on the same treadmill that computer hardware vendors have ridden with their super thin margins and cut-rate products?
It seems today that TCO is so important that security is purposefully ignored by key decision makers.