Inherent in the meetings was the underlying theme ‘it is your responsibility to prove that there are no security problems’ without ever once acknowledging that YOU CAN’T PROVE A NEGATIVE. You can never prove something doesn’t exist. You can only prove that it does or collect sufficient evidence to the contrary and lower the risk to an level acceptable for the case at hand.

What some of the sensible guys in these meetings did teach me is that it is ultimately not the software vendor’s responsibility to secure the environment. We ran our own scans on everything and turned up the same things time and again on every product. To be terribly honest, no one was really worried about SQL injection attacks from inside the firewall. It’s easier to bribe an administrator or make a photocopy of what you left on your desk. As far as I am concerned if you ever got hacked because you put a WebTop login on the internet you got what you deserved.

A vendor will only ever test what the market demands, not what an idealogical self proclaimed thought leader declares. ECM is a business not a religion and dogma without ROI is for the simpleminded. It’s up to the owner of the system – not the component vendor to understand what risks he is introducing when he installs the product. If the product leaks like a tea strainer – shame on you for buying it in the first place OR worse for deploying it in an unsecured manner.

Here’s my take. If someone really, really wants information it’s just going to be a matter of how much time and money are you willing to spend to get it. What DRM hasn’t been cracked in someway already? If you can see it or hear it, that information can be copied in some way.

My philosophy has always been to spend your time and money protecting the most important, critical information. Sometimes you have to totally segment off sections of your network if it’s critical. You just do the best you can.

If I wanted to steal James’ identity, it’s fairly easy in today’s world. No need to hack into a EDM system. I’d just dig through his trash or steal his mail. That’s the low hanging fruit. Here’s the thing, the people who want your information are going to be after only a few things: personal identity, financials or trade secrets. The people who are actually doing the hacking are professionals brokering information to organized crime. (Not always, but you’d be surprised.)

So what if a company uses automated testing? It’s all in how you use the tool. Just because I have a surgical operating room in my basement doesn’t make me a brain surgeon. Concentrate on your employees, making sure they are trained and happy. They are the ones going to be stealing from you most of the time anyway.

Don’t loose any sleep over his blog rants. It’s hard to take him seriously anyway when his blog loses focus constantly because his thoughts wander and then he clutters up his site with random political commentary. (Seriously, what’s up with that? It doesn’t matter if it’s left-wing or right-wing. Mixing ECM content with Hillary/Bush/Iraq images makes him look like he’s the next “Timecube Guy” or is a frequent caller to Art Bell.)