Hey guys,
Recently, there has been quite some buzz about the DDoS attacks to Meneame, Genbeta and Error500 websites early this week. Also, early last week the British newspaper The Register (among many other newspapers) wrote an article about how a big community of hackers started a cyberwar again the Scientology Church worldwide.
I realized how little software engineers know about computer security. It is a fact that many engineers graduate from a 5-year course, without ever hearing terms such as buffer overflow, sql injection, MITM, Cross site scripting (XSS) and many other security exploits. And this is just a grasp of the whole area of security.
Picture of a typical Computer Security expert
Harry Potter learns about Security in his School, but we don’t!
Engineers don’t (usually) know (enough) about Security
The general computer scientist usually don’t know much about general security concepts. And even when they have heard the term, they have a tough time trying to articulate a correct definition. Therefore, lets not assume that they will be able to hold onto proper design best practices when they sit down to code. This directly leads crackers to try to profit from Security Holes.
Usually, they don’t even know how to choose an antivirus (pdf), how to encrypt emails or check SSL certificates. I’m sure most of them, if they sit down and study it, they will understand everything and learn fast, but somehow I find most of my colleagues to have orthogonal love/hate approach to security.
Security Experts and Microeconomics Laws
This has a very logical consequence that we can extract from the principles of microeconomics. The laws of supply and demand have proven right in this case, because the increasing demand in “security professionals” and the limited supply of those, shifted the curves to a high equilibrium point. In other words, companies urged to hire security professionals and because there is not a high competition, they can charge ridiculous salaries for their services.
But we should be aware that this is our fault, and not theirs. If Universities and education centers would have reacted faster to this flashing alarm in the job market, probably we would be less vulnerable when we use a credit card on the internet or when someone decides to store our personal data in their servers.
Interesting Videos to Learn More
Here you have a couple of interesting videos to put you back on track.
Google Tech Talks. Security for engineers talk
Informit OnSecurity
Final Quote on Security
“Foolproof systems don’t take into account the ingenuity of fools.”
Gene Brown. Emerit MIT Professor of Biochemistry
Enjoy!