Post ASTNLfOaPMKJasceau by taosecurity@infosec.exchange
 (DIR) More posts by taosecurity@infosec.exchange
 (DIR) Post #ASTNLfOaPMKJasceau by taosecurity@infosec.exchange
       2023-02-08T14:30:40Z
       
       1 likes, 1 repeats
       
       I largely agree with #BruceSchneier here, although there are limitations to using an approach backed by non-conflict safety-oriented analogies (car crashes, fresh food, fire-resistant pajamas [!] -- good luck vs a weapon). Still..."[I]mprove government software procurement... to evaluate the security of the software and the security practices of the company, in detail, [and] to ensure that they are sufficient to meet the security needs of the network they’re being installed in. If these evaluations are made public, along with the list of companies that meet them, all network buyers can benefit from them."and"The government needs to set minimum security standards for software that’s used in critical network applications, just as it sets software standards for avionics."https://www.schneier.com/blog/archives/2023/02/solarwinds-and-market-incentives.htmlWhile still a step forward, Mr Schneier's approach still has problems:1) regulatory capture of government agencies by scrutinized vendors;2) irrelevant assessments leading to irrelevant results;3) apathetic / ignorant / incapable customers who cannot put any useful government assessments to work in their environments.While harsh, I advocate for regulation and practices that price insecure organizations out of the market. If it's too expensive to run your insecure IT, then you'll look for cheaper alternatives.#cybersecurity