length: 00:20:31

continue the discussion with Stuart McClure

does it worth to spend time writing secure code???

Secure code must be implemented is all process from design to implementation – test

Risk-reward analysis – some companies are willing to say it is not worth the hassle to do it 100% because the cost is significant – they might not see the benefit.

Every SW program has vulnerability –it has not been found yet

There is a natural resistance to not admitting vulnerability – because it will challenge the revenue – I get it!

What I dont get it is when we have been demonstrating the PoC to them – they still deny the vulnerability.

What are the biggest challenges?

1.       Malaise – people who think security is good enough is the biggest problem

It’s like insurance, unless you’re never had accident you are not interested to get full insurance – people just want to buy the good enough – it is human nature – there will be always problem  because people do not take risk seriously..

Money is a strong-strong motivator to write malware…today they became much more professional- so professional that they can get a very strong blip.

Going after Bill Gates is  passé – now it is about making money

It was not the fault of the bank if they bank get robbed..

It use to be AV industry against malware community

Now, it is AV industry against Malware industry…

Closing thoughts:

1. it is very real

2. user control security – eliminate the 99% of the threats

3.  vendor control security -  must be built in

Ultimately it’s about user education..