I've long argued that security should take note of lessons from the safety field, and there are a lot of important learning points set out in the Nimrod review. Many of these repeat the points made two decades ago by Richard Feynman following the Space Shuttle Challenger disaster. Unfortunately, it seems that either our memories are short or the learning points were not widely disseminated.
It's disturbing that we continue to make serious mistakes decades after we have discovered how to prevent them. Perhaps that's an inevitable human weakness. But what counts is that we fix these flaws when they come to our attention, and that we educate others in how to prevent future incidents.
All of these lessons apply equally to security. We can learn much from the model of safety culture spelled out in the report. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it.
Comments (1)
People are lazy to fix the vulnerabilities even when they discover them and learn how to fix them.But bigger problem is the thing that 70% programmers that make that software don't know much about security or they just don't have time to test their code before publishing.Thats why most of the software and websites are vulnerable
Posted by Website protection | November 6, 2009 1:35 PM
Posted on November 6, 2009 13:35