> when this is over, Sony may end up being one of the most secure web assets on the net.
Sorry to be harsh, but this is a wishful thinking.
When you've been very careless about security for years (PS3 random seed not random, music rootkit that was hackable, OMA master key leaked, PSN servers not up-to-date, PSN trusting the PS3s, etc...), you don't simply turn into a "secure" company, unless you spend years of corporate policies and formation, trying to change the habits of your employees...
Changing (or creating new) employees reflexes and habitudes isn't something easy at all, especially when you are an international company, with different cultures on board. This can be a herculean task.
Or it may never happen. Security is a culture and a way-of-life. It's not a couple of technologies, a new CTO, and a couple policy emails and training sessions.
Yes, but culture isn't immutable. And a top-down, company wide focus on security and proper training is a damn good place to start.
The problem is getting middle management on board. It's no good if mid-level managers tell their direct reports to go to the training and then go back to business as normal with the same old priorities and no extra time/focus on the new security aspects.
D.H. Banes: I believe, umm, that certain people in life are meant to fall by the wayside; to serve as warnings to the rest of us; signs posts along the way.
Not having any inside knowledge, I don't _know_ this, but it's always seemed to me that Sony has never been able to write software to save its life. Whether it's PSN, or the pathetic web store for the Sony eReader, or the equally pathetic Mac and PC software for the Sony eReader, Sony software has consistently disappointed me.
Given how brilliant Sony's hardware designers have historically been, I wonder if there is something fundamental going on. Could it be that Sony is simply not good at hiring and retaining good software engineers, perhaps because the hardware engineers get all of the kudos and awards and perks? If so, Sony wouldn't be the only company that has had that problem. Before I gave up on Nokia smartphones (my last Nokia phone was the E70) I've had similar suspicions about Nokia products. I loved their hardware design, but the software didn't seem to live up to the promise of the hardware...
I'm a consultant who is wrapping up a gig w/ a division of Sony, and I will say that Sony as a company is very very silo'ed. The various divisions of Sony almost never communicate amongst each other, and there's a shit-ton of duplicate efforts within groups. I'm very surprised they were able to develop a PSP Phone.
I guess I'm thinking that trying to diagnose the problems with their software as a corporate culture thing might be a bit misguided as Sony literally behaves like several completely separate companies running in parallel, unaware of each other. Although perhaps the quality of their software would improve if they worked together and leveraged each other's work. Seems like a stretch, though.
The problem here is that they have created a beacon for all hackers that want to create a name for themselves. Of course they are going to have security loopholes, most web assets do, but their standards now have to magnified by a magnitude to keep intruders out.
Yeah, this is it. It only takes one SQL injection for Sony to make the news these days. Just think about the number of web properties Sony has. I wouldn’t like to have to job of securing those in the first place, let alone with a bunch crackers with a reason to target you and the associated press coverage.
Not to say that this is good; it’s awful for your users data to be exposed.
If a company or group is so big that it can not operate securely, then it is either too big or in need of major rearrangement.
Right now Sony are in the unenviable position of needing to fire-fight their many security issues while the high power spotlight is on them lighting other stray bits of touch paper. Hopefully (yeah, these hope is naive in the extreme I know) Sony will take away from this the need to get security right on all levels before the first attack and subsequent media attention, and hopefully other companies are taking the situation as a wake-up call and instigating a meaningful review of their own security mind-set (or at least double checking their policies and their adherence to them if sufficient security mind-set is already in place).
But it would seem that Sony's general culture in that arena is significantly below what could be reasonably expected, and hopefully everyone else is now actively checking to make sure theirs isn't...
Sorry to be harsh, but this is a wishful thinking.
When you've been very careless about security for years (PS3 random seed not random, music rootkit that was hackable, OMA master key leaked, PSN servers not up-to-date, PSN trusting the PS3s, etc...), you don't simply turn into a "secure" company, unless you spend years of corporate policies and formation, trying to change the habits of your employees...
Changing (or creating new) employees reflexes and habitudes isn't something easy at all, especially when you are an international company, with different cultures on board. This can be a herculean task.
I wish they will succeed, though...