90% of you blindly take one side or the other, making up stupid examples to try and "prove" that your view is correct. This is issue is amazingly complex; I don't see how anyone could come to such a firm conclusion on their own (more heads better than one).

I agree that when a student - or to generalize when any person - gives any personal data to an organization they have a reasonable expectation that their data will be kept securely. Of course, securely is a relative word here.

Does giving them your info give you the right to personally test the security of their information? If it does, then why limit the scope of the test to web apps? If they have overtly lax physical security, could you try to physically break into the premises to prove they need to do a better job? What about socialy engineering records from a school worker? Perhaps these questions aren't valid ones, b/c physical security is easier to quantify then code security.

Something needs to be done though. Perhaps all the code that is responsible for protecting people's data should be put into the public domain for verification? But what about flaws that aren't in code, say some poor configuration that can be manipulated? How do you deal with that? Should there be 3rd parties that are required to certify the security of any public facing entity that is responsible for keeping people's data secure? An entity that would audit everything from the code to the configuration to the network topology? There are architectural certifiers; when you build a house someone needs to approve what's going on. Should there be "security certifiers?" Is that even possible?

A lot of you should take a very large step back and look at the issue from a variety of viewpoints..

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11389/33767#33767