You can't secure what you don't acknowledge.SM

Tuesday, May 12, 2009

Secure code by force?

The Senate Homeland Security Committee, in their infinite wisdom, prodded by SANS' Alan Paller apparently believe they can legislate secure software from IT vendors.

That'd be like legislating more secure health records, and personal financial information, and so on. Oh wait, that has been done. And it's not working all that well as far as I can tell.

That'd also be like legislating higher-quality cars. Ha! The Feds can work that out since they're going to own that industry moving forward.

Ahhh. Laws, laws, laws - they're cropping up all over the place and are hardly doing anyone any good.


  1. (In my heart of hearts I am a believer in small government, but our society seems to be in an odd situation)

    Tough problem. Clearly we are not going to self police. That means gov't intervention as a last resort. HIPAA, we could argue it does not work, but the folks that looked at Clooney and Spears medical records were caught and fired.

    Same thing with personal financial information. If all those states had not passed disclosure laws the problem would be even worse.

    Bottom line, we are far from ideal, but right now we seem to need govt intervention and compliance to do the right thing. I hope the future is brighter!

  2. I agree Stephen...We definitely live/work in a non-ideal world. If people don't protect sensitive information the way it needs to be then maybe it is a function of government to step in and try to make it happen. Otherwise it'll never get done.

    It's just unrealistic to believe that when the government flexes its imperial muscle by mandating secure software that things will actually change. Again, it's like requiring the automobile manufacturers - esp. the ones who sell to government fleet programs - to eliminate quality flaws in their cars before they're delivered...It'll never happen.

    That's how government works: politicians have grand ideas, they get people on board and fired up, but in reality their mandates can't deliver anything better than the private market could've done on its own...They usually make things worse - like a quote a saw recently: "Congress could mess up a train wreck". Maybe information security and privacy are exceptions. Oh, and the U.S. Postal Service too.