MacDirectory magazine is the premiere creative lifestyle magazine for Apple enthusiasts featuring interviews, in-depth tech reviews, Apple news, insights, latest Apple patents, apps, market analysis, entertainment and more.
Issue link: https://digital.macdirectory.com/i/11584
INTERVIEW use encryption on my wireless router, so don’t listen to what I say, don’t do as I do. MA > Why do you think big computer and software companies are often so slow at patching or even admitting to basic vulnerabilities in their products? Is it really that expensive or are there other factors involved? CM > The biggest reason is money. It costs money to test and develop patches. There is no economic benefit from this action for the vendor. If a company like Microsoft can just wait until the next planned Patch Tuesday, the company will save a large amount of money. In general, security adds no noticeable benefit to software, it isn’t easier to use, more attractive, more useful. You can’t easily tell which product is more secure than the others. Even though in the long run it might benefit a company to spend money on security, it seems they choose to ship products that haven’t been adequately screened for vulnerabilities in order to maximize short-term profits. MA >Do you think companies develop technology vulnerabilities in products in order to create profit? CM > I think I answered this above. I don’t think any company purposely leaves in vulnerabilities; they just are not willing to devote the resources necessary to create secure products. MA > If you could be in charge of application security at Apple, what would be your overall strategy be (realizing that you probably can’t talk about your specific tactics)? CM > Wow, this is not a job I would want! Moving forward, I would put an shaking out vulnerabilities. I would also emphasize anti-exploitation technologies that make exploitation of existing vulnerabilities harder. MA >Governments are beginning to wake up to the fact that computer systems and networks are incredibly important and incredibly vulnerable. Do you think there will come a day when we see the same kind of safety regulation in the computer business that we do in industries like transportation and food handling? If so, what do you think would be the most effective model for handling it? Independent testing labs like UL? Commissions like the FAA? CM > I think the easiest and most effective way would be to hold companies liable for the problems their vulnerabilities cause. If there is a worm that takes advantage of a flaw in Windows that shuts down a company for the day, Microsoft would be liable. I think if this was the case, companies would work really hard to create secure software, without regulation, in order to avoid these kinds of losses. MA > Before you go to bed at night, you .... CM > read. I’m currently on a science fiction kick. For more information, check out Independent Security Evaluators: http://securityevaluators.com/ emphasis on developer security training. They are the ones writing the code and the first line of defense. As for the code that is already written, I would continue testing it and Special thanks to MacDirectory contributing editor Ric Getter for providing supporting questions for the interview. MacDirectory 143