Monday, January 21, 2008

The Fortification Movie

Last week i went to see the documentary by fortify on "The new face of Cybercrime". I went there thinking that it would be something that shows what cybercrime is all about and how bad guys are breaking into websites to steal credit card numbers, SSN, etc. and selling it on the black market to make money. Basically a visual representation of what we deal with, day in, day out. But it turned out that it was nothing like that. All they have done is take interviews from reporters and some key people in the industry and put them together in the form of a movie. I couldn't understand the message, this movie (or documentary) was trying to send and who was the target audience (as it definitely wasn't security professionals). Infact, someone actually asked the same question and the best they could come up with is that it is thought provoking. (LOL). It was thought provoking all right, but the thought definitely wasn't web application security.

About the target audience, well, they said the movie was for C level executives and/or business owners to understand the consequences of (in)security of their websites. I don't know, how this movie is going to help those guys get the message. I mean, if you are trying to sell a product or a service, sure, you can use this movie, instead of doing the explanation verbally. Or at least I think so. Having worked for few financial institutions (including some really big names), and have seen first hand, how business decisions and timelines are driven, let me tell you right now, No matter, how much a business understands the need of web application security, but when it comes to user demand or a competitor coming out with a feature that their web site doesn't have, the primary focus becomes shipping out the feature with or without security.

I would have loved to see the movie targeted towards consumers with a visual representation of how an identity theft occurs, how business's security (or lack thereof) affects them. I don't know, how many security professionals would agree with me on this, but I think unless the security is demanded by the consumers, it will just be treated as compliance.

Nevertheless, you should watch it, just don't get your hopes high. As it has nothing new in it, that you already haven't heard or read somewhere. I am not trying to undermine the effort by Fortify folks but I do think, they could have done a better job. Who knows, maybe in the sequel, they will :)

No comments: