A few reflections on security by a weary application developer

  • Comments posted to this topic are about the item A few reflections on security by a weary application developer

  • I occasionally deal with monetary systems (i.e. actual money transactions) but mainly produce business administration systems (i.e. where money, if referred to, is only a figure to report on). Whilst there is a complete difference in attitude to security this doesn't bear out when it comes down to implementation.

    At one place, which claims to be the worlds largest !"£$%^&* and has an 8 figure (£) turnover on certain days of the year, they are very strict about the security surrounding their systems - its PCI compliant, for example - yet they have such poor development practices that I would not want to be the person who offers any form of guarantee on the security.

    Sometimes all the effort is made to secure one or two aspects of systems and not others. This is akin to a Fort Knox with all the guards at the front door and no back wall.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Interesting Editorial, is there anywhere you guys meet and discuss things? Anywhere a newbie can get advice etc....

  • kris.beicher (9/3/2014)


    Interesting Editorial, is there anywhere you guys meet and discuss things? Anywhere a newbie can get advice etc....

    He could tell you but then he'd have to... (sorry, couldn't help myself)

    Good point though. Also, anyone go to these sort of meetings elsewhere?

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • That was a fun read. Thanks.

  • If you have to get into personal information that is inside somebodies private property to make money then let us all hope your CISSP friends do their job and put you out of business.

    A legitimate business model makes money by delivering goods and services that people want or need for a fee.

    Un-solicited engagement based on access to personal data that is on a private device that you were not given specific access to through a legitimate and open exchange is illegal everywhere except computers and Cell Phones.

    Nobody wants or needs anything that requires you to have access to information they did not give approval to have.

    They especially do not want or need anything that would allow you to do whatever you wanted with that information to make money. Like selling it to a third party.

    That is double true if you charge them for part of this service while collecting their private data while having promised anonymity, and then sold it hoping not to be seen.

    I worked in the POS, Off Site ATM, and Bank Switch industry for about 7 years.

    Nobody I ever met during that time that was providing any of the services wanted anything to do with any bodies personal or private data and information.

    There were several rules and regulations that were followed and enforced by the Secret Service to help us make sure we didn't.

    Currently I work in the Health Industry.

    It is amazing to me that all of our private information stored on computers is not kept that way under the same rules as our Private Health Information.

    In short, you may end up not having what you want for quite a while if your ability to make money requires having free and open access to peoples private devices and the information that passes across them.

  • My view of the 'security goons'.

    Signed,

    An applications development manager

  • You are cynical about client processing. So am I. I try to make progress on client needs. It is easy to be cynical. I try very hard to transcend this. I am learning to transcend my cynical attitudes about client processing. I am confident that you can do it too, transcend your cynical view. Come on, say it with me: client processing can be done. Come on, I know you can agree.

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply