Regarding 37signals and communication
Posted on Wed, 9 Sep 2009
Last edited Wed, 9 Sep 2009
Last edited Wed, 9 Sep 2009
37signals has responded to my original post regarding the cross-site scripting security issue I brought to their attention last month. I'm genuinely pleased to see that they are making changes in their communications process as a result of this issue. I am, however, disappointed that they have labeled the entire issue as a communications problem.
A mindset problem was at work which goes much beyond communications. In all of the time that 37signals has been in business, nobody had given thought to the idea that there should be a dedicated security contact process, or that it was inappropriate (even deceitful) to make blanket promises of data security. A failure of inaction like this always has two causes. The proximate cause, and the easiest answer to give, is that it was just a mistake: a detail overlooked in the daily scramble of business. The hard answer to give (and to accept) is that nobody thought there was a problem.
There is a neat symmetry: just as it can only take one major exploited vulnerability to utterly destroy users' trust in a company, it only takes one person who is utterly devoted to the issue of security to spot a fundamental process problem. There was no such person at 37signals when I contacted them about a security issue in their applications.
At its core, good security starts and ends with a vow to take the security of the user personally. What I saw from my own experience and the experience of other researchers convinced me that this commitment had not yet been made by 37signals. I fear that in characterizing the issue as one of communications, this larger point has been lost.
I would like challenge 37signals to publicly pledge to become the unquestioned industry leaders in cloud application security. The commitment to lead is the only method by which you can truthfully state that you are doing all that you can to fulfill your obligations to your users. It is a difficult but attainable goal, and one which will pay dividends in trust.
There is one another detail which has not yet been completely addressed. I have not yet been able to account for what happened to the originals of the emails that were re-sent to me on August 13th by 37signals support. For my peace of mind, I hope that this issue will be laid to rest soon.