Fixing Security Through Obscurity?

LineNoiz asks: "I work as a junior developer at a small company that sells check printing software. One of my company's favorite things to tell customers is how secure our product is and how it will reduce check fraud (we even sell check fraud insurance). I cringe everytime I hear them say it, because I know that it is 'secure' only because of it's relative obscurity. I personally know very little about security, and really have no idea what it would take to make our product secure. All I really know is that this is a problem waiting to happen. How can I convince my managers that our security is nothing to brag about? How can I convince them to spend the time and money to make it secure? Where can I myself go to learn more about security and what it would take to make/keep it secure?"

Specifics

[greenhide]

I cringe everytime I hear them say it, because I know that it is 'secure' only because of it's relative obscurity.

By "obscurity", do you mean it's not a well known product?

I'm going to jump out on a limb here and guess that if you're going around making check software, then someone in the company actually spent a number of minutes x (with x >> 5) thinking about security in the product.

Here's an idea. You're a junior developer, right? Why not sidle up to a senior developer and say, "Hey, can we talk for a moment?" Tell them you've recently become interested in security and learning more about it. Ask them what the current security for your products is. If there isn't really any, ask them if they know if competitors use any kind of security features, saying something like, "I'll bet it would make our product look better if we could tell potential customers that we use x, y, and z to make our products secure." If he or she doesn't sound interested, evaluate how this makes you feel about working there. It probably isn't a good idea to make this a crusade; it'll just make you look mean spirited if you push through your senior developers. You can choose to stay in the company, knowing the product isn't fully secure, or if security is your thing, you can move to a company that's more secure.

Think about a worst case scenario: someone writes a series of checks that are bad. That's not impossible to happen with normal non-computer generated checks anyways. It could potentially be a lot of money -- perhaps -- but credit card fraud is generally a lot easier to perpetuate. Most check fraud that does occur is people writing big checks on their own accounts that bounce, or it's people just forging checks, neither which you or your company have any part in.

If you were in a company storing electronic medical records or bank accounts, then security through obscurity would be pretty catastrophic. But I'm guessing that you're blowing this out of proportion.