Pre-Boxed Crap

The computer security problems in our country can be easily repaired and monitored. The problem is there are no industry standards for the software we are putting out there, no one is being held accountable, even the automotive industry is finally being held to several safety standards to protect the customers who purchased their vehicles. The way I look at it is we are again, "closing the barn door, after the horse ran away". It costs companies, corporations and individuals mega bucks to fix the software problems after a security incident has happened. Now what would be wrong with security testing the product before it leaves the building??? hmmmm...

...BUTCH

There’s a gap today in requirements. We can quite easily build security into in-house and off-shore developed applications by integrating commonly known requirements. 

For example:

1. We can require that developers not maintain integral state data on the client to defend against parameter manipulation. 
2. We can require that session ids are always sent over SSL. 
3. We can both require and check for these things before an app is deployed, so that the only thing left for crash testing are mistakes that slipped through the cracks, complex domain specific security flaws, and novel / unique security issues that haven’t been defined yet.

We as an industry have spoken at great lengths about security in the SDLC but we’ve only paid marginal attention to secure requirements. It’s time to move on from crash testing.