Fixing Security Through Obscurity?

LineNoiz asks: "I work as a junior developer at a small company that sells check printing software. One of my company's favorite things to tell customers is how secure our product is and how it will reduce check fraud (we even sell check fraud insurance). I cringe everytime I hear them say it, because I know that it is 'secure' only because of it's relative obscurity. I personally know very little about security, and really have no idea what it would take to make our product secure. All I really know is that this is a problem waiting to happen. How can I convince my managers that our security is nothing to brag about? How can I convince them to spend the time and money to make it secure? Where can I myself go to learn more about security and what it would take to make/keep it secure?"

learn how to hack

[aoteoroa]

Now I am no expert on hacking or security but I once read a book that changed the way that I write software. Hacking Exposed taught me a number of different methods that can be used to find weaknesses in software. Once I learned some of the attacks that people could use against my applications fortifying against those attacks became much easier.

Java Cryptography was another informative read.

Re:Sounds like a very secure system to me

[donutz]

I am betting they are paying out pretty close to 0 in reimbursements (which is why they are advertising this)- how much of your salary will it take to make the product even slightly more secure ?

How long will the company stay in existence to pay this poor guy's salary if someone discovers and exploits the vulnerability? Do they have the cash reserves to pay off these reimbursements if they start coming in, or will they just fold into bankruptcy?

Art of the Steal

[mvance]

I recently listened to the audio book version of Frank Abagnale's "Art of the Steal" and I would definitely recommend it in your case. Like his other book, "Catch Me If You Can", it has some great anecdotes about cons. It even has a whole section devoted to check fraud.

"Art of the Steal" aims to teach how to avoid getting scammed, in business and at home. It is definitely lacking in some areas, such as computer security, but does offer some useful advice and it might be handy in opening management's eyes to some of the threats to security.

Specifics

[greenhide]

I cringe everytime I hear them say it, because I know that it is 'secure' only because of it's relative obscurity.

By "obscurity", do you mean it's not a well known product?

I'm going to jump out on a limb here and guess that if you're going around making check software, then someone in the company actually spent a number of minutes x (with x >> 5) thinking about security in the product.

Here's an idea. You're a junior developer, right? Why not sidle up to a senior developer and say, "Hey, can we talk for a moment?" Tell them you've recently become interested in security and learning more about it. Ask them what the current security for your products is. If there isn't really any, ask them if they know if competitors use any kind of security features, saying something like, "I'll bet it would make our product look better if we could tell potential customers that we use x, y, and z to make our products secure." If he or she doesn't sound interested, evaluate how this makes you feel about working there. It probably isn't a good idea to make this a crusade; it'll just make you look mean spirited if you push through your senior developers. You can choose to stay in the company, knowing the product isn't fully secure, or if security is your thing, you can move to a company that's more secure.

Think about a worst case scenario: someone writes a series of checks that are bad. That's not impossible to happen with normal non-computer generated checks anyways. It could potentially be a lot of money -- perhaps -- but credit card fraud is generally a lot easier to perpetuate. Most check fraud that does occur is people writing big checks on their own accounts that bounce, or it's people just forging checks, neither which you or your company have any part in.

If you were in a company storing electronic medical records or bank accounts, then security through obscurity would be pretty catastrophic. But I'm guessing that you're blowing this out of proportion.