Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why "Designed For Security" Is a Dubious Designation

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes The list of products designed to be security enhanced that turned out to be anything but seems to get longer by the day. In just the latest instance, reported by Wired last week, the crowd-funded privacy-enhancing home router Anonabox had to be recalled after an independent researcher discovered serious security flaws in the product. But security experts caution that the real problem may be bigger than vulnerabilities hidden in application code: "Designed for security products don't just have to be good. They have to be beyond reproach," explains John Dickson, a Principal at the Denim Group. "All it takes is one guy with a grudge to undo you."

2 of 58 comments (clear)

  1. Re:OpenBSD proves the claim to be wrong. by Anonymous Coward · · Score: 3, Insightful

    Probably because OpenBSD isn't designed for security. They have their priorities straight: portability, standardization, correctness, proactive security and integrated cryptography.

    Most "designed for security" products reverse the order of things. Start with a set of cryptographic solutions, sprinkle on some magic security dust, hack on it until it appears to work (i.e. "correctness"), and toss standards and portability concerns out the window. Even though those latter two things give you a fixed point of reference to shoot for when it comes to correctness (whether or not the reference itself is flawed).

    Security is a process, not a product. I would note that "proactive security" is another way of saying bug mitigation--sandboxing, address randomization, stack smashing detection, etc.

  2. Rule #1, don't taunt happy fun hackers by GoodNewsJimDotCom · · Score: 3, Insightful

    I've found that the more you tout that you have good security, the more recreational hackers come out of the wood work who would otherwise have no interest in your product other than you make it sound like a challenge. If you want good security, do your encryption, do your trip wires, keep important stuff server side, etc etc, but don't brag about it. Bragging about security on the Internet is like putting on a white karate outfit with a black belt and strutting all around the low income parts of town. Maybe you are secure in your components or your not, but don't go looking for people to try and break you.

    --
    God spoke to me