Security or Compliance? Part 1

The other day, I walked past a meeting where a couple of engineers were debating whether an added security feature was necessary or not for SOX compliance.

So, which matters most when deciding what to do – should you be more engaged in practices that add security to your organisation, or should you attempt instead to keep up with regulatory, contractual or standards compliance?

As usual in the field of information security, your end customers aren’t actually going to care, as long as nothing happens. When a breach happens, they will care that you didn’t secure that breach, and they will care doubly if the security lapse you had was something that left you out of compliance. While “we were compliant” will not win you any friends in the event of a breach, “they weren’t even compliant” will definitely make the situation seem far worse – especially if the standard to which you didn’t comply is specific about technological measures that you should have taken, but didn’t.

Your chain of command will be significantly impacted by a breach, too – and again, while their careers may suffer from a breach (it shouldn’t, if they’ve handled themselves correctly and you have sane management), if you are found to be out of compliance, you may have cost your superiors money, or in some cases, their own personal freedom!

But as with all questions of compliance or regulation, there’s a get-out clause. If you achieve – or beat – the level of security that the compliance regulations were supposed to ensure, you can claim compliance by virtue of compensatory controls.

A good example is that of wireless security and PCI.

PCI says to use wireless encryption.

If you can’t use wireless encryption, you can compensate – either by making sure that no credit card data travels across the wireless network, or by using network encryption – IPsec or SSL, say – to achieve the same purpose, of protecting the credit card data from being intercepted.

Clearly, you can’t ignore compliance for security’s sake, and just as clearly you can’t ignore security for compliance’s sake.

But if you ever find yourself arguing whether a security feature is required for compliance, consider whether it’s just a plain good idea, compliance or no. That may be a quicker argument for its inclusion.

Retro-bundling – another suck of the Apple

I thought I was done blogging about Apple Software Update, having removed QuickTime from my system completely, and sworn never to install it again or watch another QT or MOV file.

But nooo, someone had to spoil it by telling me what Apple Software Update did next.

If you’re unfortunate enough to have QuickTime installed with Apple Software Update, you’ll already have seen it.


Not only is Apple going to offer you iTunes and QuickTime as an “update” (despite you not actually having iTunes installed in the first place), they’re also going to offer you Safari, the feature-light Apple web browser, as an “update” (again, even though you haven’t installed it). And they’re going to check the box, so if you think you’re just updating components you fetched for yourself, you’ll accidentally install this one, too. And they’re going to ask you every boot until you disable the check – and then they’ll just re-enable the prompt next time they have a patched version to release.

What next, “we suggest you update to Bootcamp and Mac OS X, please wait while we install, and don’t mind the reboots”?

Seriously, Apple, this just makes you look seriously unethical. You can’t get people to install Safari legitimately, by enticing them to voluntarily download and install it, so you have to sneak it in by implying it’s an update to QuickTime. What does that say about Safari? You can’t even give it away? You have to foist it on the unwilling?

Grow up.

I suggest we call this behaviour Retro-Bundling.

Bundling, of course, is when you buy a piece of software, or download it for free, and along with it comes Firefox or the Google Toolbar. Irritating, especially if you don’t want them, because half of your time in getting the software down was taken up in downloading something that you’re going to say “no” to. But at least you only have to say no that one time – or when you download the next version.

Retro-Bundling, then, would be when, after you already have the software of your choice installed, its manufacturer decides that they’d like to have bundled something else onto your system, so they try to slip it in the back door without you noticing.

I am glad to say, to judge from comments at other blogs, that I’m not the only one that thinks this is utterly reprehensible behaviour. Perhaps this is the way things are done in the Apple world – you just sit happily back as your vendor dumps more and more product into your lap.

Consider this – how would you have reacted, if next time Office for Mac was checking for updates, it came back and offered to update Word, Excel Internet Explorer and Silverlight? Even though you didn’t have those last two on your system. Oh, and they were selected automatically, and the default button press would install them all.

Update: Someone mentioned to me that Microsoft does indeed offer Silverlight on Windows Update to Windows users even if you don’t have Silverlight installed already. That sucks, too. It’s not quite as heavy an application as Safari and iTunes, but it’s still wrong to offer “updates” that consist of an application you don’t have. Actions like this will cause people to stop accepting updates as a regular part of their computing schedule – and that can’t help the health of their computers.