Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? Thanks for joining me on the show. Very much. Appreciate it. Taking a bit of a break between the basics series. We wrapped up sort of phase one of cybersecurity basics, getting some great feedback on where you want to see me go with the basic basics.
So talking about things like how some fundamental protocols in the internet work, how things like your browser works, your operating system, stuff like that to really understand sort of the context of a lot of the security and privacy decisions we have to make what I wanted to do is take a quick segment to talk about some stuff or one of the particular announcement that kind of maybe snuck by and not so much announcement as sort of breaking news.
So been a lot in the news last week about obviously the new iphones ios 12 dropped, which has some great security updates as well as future. So make sure you update your devices to IOS 12 as soon as possible. Um But one thing that really highlighted um something that's been going on continuously.
So um Catalan from ZD net had a great article which I'll tweet out. And I'll link below in the descriptions about a vulnerability in I OS where you can send a text message that will uh or any message that will send people to send people to a URL.
And you can put malformed style sheet that will actually crash the browser, it will deny, deny service to Safari based on a bug. And the reason why I bring this up is simply because Apple has a really good high level of software and hardware quality. Yes, they make mistakes.
Yes, there are issues but they have a really good process for generating quality software and even they have a vulnerability like this pop out and I'm sure it will be rectified very, very quickly. In the meantime, it doesn't steal data. So it's not the end of the world, but it ties to an issue that's been on my mind a lot.
And it's something that I've been giving talks about about security culture, but about how security is a software quality issue. It's also a hardware quality issue, but more often than not, it's a software quality issue. So it's basically when you start to think about software or security in a quality context, a whole bunch of things kind of open up and you go, oh, so I've been getting a lot of talks on it um in the context of security organizations and how they need to adjust their approach.
But when it comes down to, um, from the personal and sort of the general view. Um, the more often you're on things like beta software. Um, the more often you're on a small, um, dealing with, uh, an app that does a lot from a smaller shop.
Um, the more often, um, you know, somebody has a poor reputation for quality. Um, if it's buggy software, the more likely there are their security and privacy issues with it. Um, and this comes down to a fundamental disconnect in how we think about security. We think very much about security as being this discipline that you can do after the fact.
And as we talked about in the cyber security basics, you know, bolton versus built in security needs to be integrated and it's very much a quality issue which means you need to affect it or you need to take steps to make an impact early on. So if you think about quality in another context you want, if you were making a meal, you want to use quality ingredients to make a good meal.
If you get the outcome, if you don't use quality ingredients, you tend to have a really poor meal and it's really hard to cover that up. So you may slather some sauce on to make it taste better. When, if you'd use better ingredients in the first place, you'd have a much better outcome.
That's exactly what we're dealing with in cybersecurity today is that basically cybersecurity is a really high sugar content that we slather on the end of something else to make up for poor ingredients that we put into the pot in the first place. That's not ok. That is causing way more problems.
It's costing way more money for organizations to fix those. If we go back, once we start to treat security as a quality issue, you can look at the quality of metrics which is really well understood, far better understood than cyber security. So you can start to deal with things in context and you know that if things hit production, it's going to cost you 30 times the cost ballpark compared to the staging stage.
So before you push it into production, 30 times, sorry, 30 times compared to the initial planning stage twice as much as the staging. So 30 to 15 times the original cost going in. So if you are just about to deploy something in production and you can catch the error there, you're going to pay half as much as you would if you took it the next step and that's paying in time, that's paying in actual money.
If you can catch it in the planning stage, it's 30 times cheaper to catch it in the planning stage. And you know that scales up. So security is very much a quality issue, but we don't treat it like a quality issue and that's the fundamental problem. So I'm giving the keynote at S a conference in Toronto, Ontario, Canada in the first week of October.
And it's around this cultural disconnect. It's around security being a software quality issue. Um So if you're around, check that out, if not, I'll be posting some supporting material essays and I think they're going to record the talk afterwards. But something else that's in the back of my mind as I'm talking and what's driving behind these basics series, what's driving behind a lot of the work that I've been doing outside of the daily shows here.
So, just a food for thought today, security is very much a software quality issue. I hope you're set up for. Fantastic. Let me know what you think about this one about this issue also about that basic series where you'd like to see me go. Amazing feedback has been coming in.
It's really helping me shape that up and we'll get that rolling. I'm sure probably later this week depending on what hits the news this week. So hit me up online at marknca for those of you on the blogs in the comments down below. And as always by email me@markn.ca, have a fantastic day, talk to you online and I'll see you on the show tomorrow.
