[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] Don't read this horrible book... - THE OFFICIAL BLOG OF THE SBS "DIVA"
Sunday, July 09, 2006 7:00 PM bradley

Don't read this horrible book...

Seriously ... I really don't want you to buy the latest Security book by Michael Howard and Steve Lipner called... Security Development Lifecycle ... I really don't.. because if you do, you'll get as ticked off as I am about the applications that I spend money one.  Applications like my industry's tax preparation software.. software that the two major vendors probably provide the bulk of the tax prep software in the United States..and yet..the industry leading software...both of them are so .... devestatingly uncaring about the security of the data in that software and amazingly they bank on the fact that "I" don't care. 

The issue isn't about security.. the issue is about privacy.  And both major tax prep software ... you can take the individual data files, open them up in notepad and read the social security number plainly and clearly....and yet we keep buying this software.. and we keep accepting this as appropriate.

Now.. one could argue that these two vendors have done a threat model of the application and have deemed the threats of an application that contains social security numbers but is mostly unknown outside the accounting industry doesn't have enough risks to worry about....but in reality should they be that uncaring about such sensitive data?  But they can do this can't they..because my industry doesn't care... we don't bother about anything other than making sure that the software has a user name and password...but anything after that doesn't matter to my industry.

So truly.. if you do any sort of beta testing... install any sort of networks... are in charge of security in any way.. you really and truly don't want to buy this book..... it will just make you mad that the software vendors take us for granted.. know that we don't care about software security.. know that we don't want to buy software that is secure...they count of the fact that features and function are what we buy software for.  And this book annoyingly reminded me that my vendors count on me not caring about the security "and" privacy concerns of the software I buy.

And given that features and whistles and bells are really and truly important anyway... right?  I mean .. do you really care that the software your CPA uses doesn't keep your personal identity information secure and private...but instead makes sure that icons are just so and it's more cutesy wootsey for your CPA?  I mean security and privacy of your social security number isn't important, right?  So don't buy the book...truly don't buy it...because it will just make you mad is all....

Filed under: ,

# re: Don't read this horrible book...

Monday, July 10, 2006 3:08 PM by Terry Constable

Susan, interestingly, in the Mortgage industry, where I'm doing a lot of work right now, it's the opposite.  Fidelity, the 800 pound gorilla of Mortgage software, is hearing that companies want SS# masked and they want access to the field restricted and they are working hard to change that.  This is on an ancient mainframe system that has been around for 30 plus years.  Fidelity seems to be very responsive to what it's users want, because they know the competition is out there...