Musings on Information Security :: Cost of vulnerability

This Month

Month Archive

July 2007
April 2007
March 2007
February 2007
January 2007

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

Previous:	Providing real security to customers
Next:	About RSA 2007

Cost of vulnerability

by RaviC on Mon 05 Mar 2007 09:19 PM PST | Permanent Link | Cosmos

Early in my career, I had this interesting experience that I would like to share. I worked with a software engineer / architect who was extremely brilliant. He was equally arrogant too.

I found a very serious vulnerability in his code where a hacker could easily hijack a user session. I set up a demo scenario for this and walked up to his office to bring this to his attention. His response to my discovery was more amazing than the vulnerability itself. He thumped his clenched fist on the table and avered " My code is bullet proof". By his immature and stupid reaction the architect increased the cost of vulnerability.

I was deeply upset by his remark. Though it could have easily turned into a heated exchange I restrained myself and walked back to my cube. One among the top management happened to pass by my cube, he looked at the demo scenario and exclaimed "this really sucks!". Eventually the vulnerability was acted up on and a fix was deployed on time.

The way you react to a vulnerability determines the cost of the vulnerability. There is no right answer here. Prudent and Pragmatic approach can reduce the cost and preserve company's brand identity.

Posted to:

Main Page