BSA kicks multiple holes in India's infosec reporting rules Lobby group The Software Alliance (BSA)* has written to India's government, pointing out impractical requirements, inconsistencies, and flaws in the nation's recently announced infosec reporting rules. The organization says the problems can only be addressed with extensive consultations and a delay to implementation. The BSA …
> "stands to be flooded with incomplete information that will not present actionable data or, even worse, will include inaccurate data that distracts its attention and resources in the midst of critical incident response."
Considering my extremely low opinion of the technical depth behind this bullshit, I fail to see how the above is a problem. I've already said that CERT is effectively saying "come, DDOS me", and who are we to say "no sir!"?
On another note, I hate that CERT has finally created a situation where I find myself even somewhat in agreement with the (B)SA -- oh the shame of it!
(Posting anonymously because reasons!)
Considering my extremely low opinion of the technical depth behind this bullshit, I fail to see how the above is a problem. I've already said that CERT is effectively saying "come, DDOS me", and who are we to say "no sir!"?
I've always believed that IT's ultimate sanction is to give users exactly what they asked for. This seems to be an appropriate occasion for applying it.
What a joke. This organisation should get off its arse and harangue its members to stop supplying software full of security holes. Why have we never heard it?
Now when India calls these companies to account it doesn't like it. You want to do business in India, you will have to follow Indian rules. Stop acting like the colonialists.
Whilst I have no wish to defend the (B)SA, I must take exception with the implication that it is wise for India's CERT to ignore the collective experience of companies many of whom have 75+ years of experience in this space and spend Indian taxpayers money on measures that will not work.
I do agree that these firms have responsibilities for software vulnerabilities and bad architectural decisions from decades ago but most if not all of them release patches every month. These firms are at least trying to deliver secure software. CERT-In if it is not taking feedback seriously or attempting continuous improvement are making themselves part of the problem and not the solution.
Indeed. I've yet to see a single reputable security researcher endorse these reporting requirements.
I suspect CERT-In are acting under orders, and that the government sees this as purely a surveillance opportunity. But in any case it's completely unproductive as an IT-security measure.
The Software Alliance is the renamed Business Software Association, and its formal brand is now "BSA | The Software Alliance". Like, the B doesn't stand for anything at all.
I suggest we reconn it to stand for "Beta", which nicely describes both the Association and the Software for which it stands.
I also suggest we write it as βSA, just to annoy their marketing people. (I know, that's a lowercase beta, but the uppercase one only works as a joke if you check the encoding. Dratted homoglyphs.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
