Security accountability: We’re off

Remember the Vasco i.e. Diginotar certificate breach scandal ..? For the many that don’t read Dutch easily enough, the gist of this court decision is that the previous owners of Diginotar are accountable for the damages to Vasco following the breach since the previous Diginotar owners hadn’t secured their systems well enough.

There’s a lot to be said here.

  • E.g., that the security lapses could have been known. Due diligence …? Well, the PwC reports were all green traffic lights, at the procedures-on-paper level. But a couple of years before the take-over, already a third party (ITSec, which I know for their good work [disclaimer: have no business relations]) had notified Diginotar about shop-floor level deficiencies. That remained uncorrected.
     
  • Add to that, that actually, the previous owners themselves started legal claims. Because a major part of their sale proceeds were still held in escrow, and they wanted the monay. Vasco filed a counter claim; logically, and won.
     
  • Also, the auditors that had time and time again ‘assured’ the security of the scheme (and don’t get me started about limiting the scope of such assurance in scope vagueness or in the fine print!), haven’t felt too much backfire. Yet, hopefully. Though recently, the same firm announced an initiative towards a new, proprietary one can guess, security standard. Right.

So, are we finally seeing accountability breaking through ..? I already posted something on the Target Cxx stepdown for similar security lapse(s). Now this one. The trickle’s there, let the deluge follow. That‘ll teach ’em! And of course, generate a humongous market for backlog bug remediation, from the software levels up through controls to governance levels…
Even if that would stifle innovation for a while. Would that be a bad thing; having only the real improvements breaking through and not the junk ones ..?

OK then, now for a picture:
DSCN0358
[Monteriggione security was effective, until not, then abandoned as control approach… they did, why not all of us today?]

Leave a Reply

Maverisk / Étoiles du Nord