Comments on: MBTA Hack Shows Security Hasn’t Improved in 10 Years http://www.veracode.com/blog/2008/08/mbta-hack-shows-security-hasnt-improved-in-10-years/ Application security testing, analysis, and metrics Wed, 07 Jan 2009 02:49:27 +0000 http://wordpress.org/?v=2.6.5 By: Ben http://www.veracode.com/blog/2008/08/mbta-hack-shows-security-hasnt-improved-in-10-years/#comment-2030 Ben Mon, 25 Aug 2008 23:17:13 +0000 http://www.veracode.com/blog/?p=259#comment-2030 Incentive, incentive, incentive. Until orgs see a major downside to lousy security practices, nothing will change. PCI DSS sort of helps with that, but it's in a very specific vertical where corps generally already had some incentive to be a little smarter than an amoeba. Personally, I don't think anything short of massive liability reform will result in the improved security of systems and protection of data (particularly the fabled PII). For example, if you were to say that personally identifiable data is to be treated the same as a physical appendage, and then apply the same types of liability protections, I think you'd see a swift change in how serious orgs take security. One successful case on this basis resulting in a multi-million-dollar victory for the victim(s) would then provide reasonable incentive. Instead, we're stuck in this time-warp to the Dark Ages where incidents like the MBTA hack are seen as voodoo black magick and the response is a desire to burn the witches/warlocks at the stake (incidental pun). Talk about a screwed-up mentality. We need a new Enlightenment. Incentive, incentive, incentive. Until orgs see a major downside to lousy security practices, nothing will change. PCI DSS sort of helps with that, but it’s in a very specific vertical where corps generally already had some incentive to be a little smarter than an amoeba. Personally, I don’t think anything short of massive liability reform will result in the improved security of systems and protection of data (particularly the fabled PII). For example, if you were to say that personally identifiable data is to be treated the same as a physical appendage, and then apply the same types of liability protections, I think you’d see a swift change in how serious orgs take security. One successful case on this basis resulting in a multi-million-dollar victory for the victim(s) would then provide reasonable incentive.

Instead, we’re stuck in this time-warp to the Dark Ages where incidents like the MBTA hack are seen as voodoo black magick and the response is a desire to burn the witches/warlocks at the stake (incidental pun). Talk about a screwed-up mentality. We need a new Enlightenment.

]]>