keithzgMay 28, 2023
@Elizafox In fairness considering the number of major infrastructure whoopsies even just in my city lately (oh, we never checked if these concrete pillars would stay intact through the seasonal temperature swings, oopsie daisy!) much less province (oh, oil pipelines...) that lack of accountability just sounds to me like par for the course for the field of engineering.
Show threadmkbMay 29, 2023

@keithzg @[email protected] In software, the market rewards delivering features quickly and actually punishes teams who want to produce secure, reliable code.

Introducing liability would go a long way toward promoting #infosec by reducing those perverse incentives.

Show threadBean
@mkb @keithzg @[email protected] this is not unique to Software development though, is it?
May 29, 2023 at 4:06amMastodon for iOS
Show threadmkbMay 29, 2023

@Duquette @keithzg @[email protected]

1/2

No, it's not unique to software development though in software development the problem is particularly acute.

Consider physical security. If there is no lock on the front door and all the windows are left open, that is immediately obvious and some people will speak up.

When a web app generates weak session IDs or doesn't check inputs before handing them off to the database, that failure is invisible to the average user.

Show threadmkbMay 29, 2023

@Duquette @keithzg @[email protected]

2/2

Cars and airplanes have a similar problem which is mitigated by both regulatory bodies and liability.

Getting into a car or onto an airplane, I have no way to notice design or maintenance problems but can still ride with confidence because I know a few things:

- There are rigorous standards.
- There are inspections and enforcement bodies.
- Manufacturers know they will be sued if they fuck up too badly.

Show threadBeanMay 30, 2023
@mkb @keithzg @[email protected] Those are both examples of poor software development practices. Most software is developed using vetted frameworks, inventing session management is poor engineering as is trusting user provided inputs. Management will always push for faster delivery, but Developers have a responsibility to understand the systems they use to implement those required solutions. That means following software development best practices and security standards.
Show threadmkbMay 30, 2023

@Duquette You seem to be losing the forest for the trees.

Those bugs are random ones I pulled out of my butt. The core point is software security flaws tend to be invisible which means there is less impetus to fix them.