Why Companies Knowingly Ship Insecure Devices 123
wiredmikey writes "A recent survey which included responses from 800 engineers and developers that work on embedded devices revealed that 24% of respondents knew of security problems in their company's products that had not been disclosed to the public before the devices were shipped. But just what that means in terms of attitudes towards security may be more complex than it seems. Additionally, just 41% said their company has 'allocated sufficient time and money to secure' its device products against hacks and attacks. Despite this, 64 percent felt that when engineers call attention to potential security problems, 'those problems are addressed before the device is released.' So, what exactly does this illustrate about the state of security in the development process? The answer, some say, is a jumbled collage of business pressures, bug prioritization and varying attention to security."
Not important enough (Score:5, Informative)
Security isn’t important enough or visible enough to the end user, and insecurity doesn’t cost companies enough money.
If company A spends 100,020 extra on securing their product, whereas company B spends $1,020 extra .. and neither product “gets hacked” .. there is no perceived value increase. If company A has to sell their product at a higher cost .. most consumers will go with company B’s product.. _even if_ company A can somehow demonstrate that their product is more secure (and aside from a clean track record, this is hard).
If Company B’s product gets hacked, 99% of users don’t know or don’t care.. and company A gets exactly 3 new customers (always 3.. regardless of scale) who are concerned with company B’s security track record and assume company A makes a more secure product.
More importantly, if legislation went through saying that companies were liable for insecurity and the damage that is caused, everything would triple in cost and the masses with piss soup in rage