Eric Holder (AG) Doesn’t Get It By 70%

US Attorney General calls for unified data breach notification laws by John Hawes.

From the post:

US Attorney General Eric Holder has put his weight behind a growing wave of pressure to improve how data leaks are handled by companies and institutions.

Interest in improving ways to ensure people are protected from leakage of personal data, and kept informed when such breaches do occur, has boomed since the recent barrage of large-scale, headline-making compromises in retail and tech firms.

Holder used the platform of his weekly video message, posted on the website, to talk about “Protecting Consumers from Cybercrime”.

Responding explicitly to the recent Target and Neiman Markus leaks, the Attorney General demanded Congress get busy developing a “strong national standard” for breach notifications.

He claimed this would make it easier for law enforcement to investigate breaches, make breached entities more accountable for any sloppy security practices and help those whose data has been leaked.

So, breach notifications in response to:

Over time, we have built an IT landscape which consists of many rotten building blocks. Gerald M. Weinberg’s Second Law is often quoted: ‘If builders built buildings the way programmers write programs, then the first woodpecker that came along would destroy civilization.’[1] When it comes to CND, this situation is aggravated by the fact that so-called security software—the very building blocks that we try to use for our defenses—are, by far, of worse quality than anything else.[2] Statistically, not actually using it would be more secure. (Back to Basics: Beyond Network Hygiene by Felix ‘FX’ Lindner and Sandro Gaycken.)

Do you get the impression that Holder doesn’t have a clue about the current security state of the IT landscape?

BTW, the comment about security software being the worse of the lot, footnote [2] in Lindner and Gaycken, is a reference to: Veracode, 2011. State of Software Security Report: The Intractable Problem of Insecure Software. Burlington, MA: Veracode.)

If you think Veracode’s 2011 report is grim reading, visit and request a copy of the 2013 report.

First finding from Veracode State of Software Security Report: Volume 5:

70% of applications failed to comply with enterprise security policies on first submission.
This represents a significant increase in the failure rate of 60% reported in Volume 4. While the applications may eventually become compliant, the high initial failure rate validates the concerns CISOs have regarding application security risks since insecure applications are a leading cause of security breaches and data loss for organizations of all types and sizes.

Hard to say which is worse:A current failure rate of 70% or an increase by 10 points since 2011.

If you can, please point out how national laws on “breech notifications” can change that 70% failure rate.

If you can’t, become a source of conversation on how to change coding and other practices to make security integral to software and not a missing added feature.

Comments are closed.