I think some of the reasons why securty lessons don't seem fully applied to new designs are:
* It is really, really hard to do a good, secure design
* It thus takes a lot of time and effort to do
* But customers want "feature X" NOW, NOW, NOW, or that's at least what everybody seems to think
Who wins? Money wins: Provide a product ASAP, even if security is mediocre, and sell tons of units. Sad part is that the customers are the ones to suffer at the end.
Another observation is this: If a product/design with lousy security gets "first-mover" advantage in a market and sales booms, then it may live for years, perhaps decades, before being replaced with something better. That's a huge windows of vulnerability. Think Telnet, FTP, and any clear-text protocol you may care to mention. They're still with us, even though they should have been put to rest years ago. Think wireless WEP security -- "wired equivalent" security, anyone?! OMG! (On a sadistic note, think Fortran, think Cobol! (OK, Only kidding! ;-))
Enough ranting. Thanks for reading.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds