When it comes to poor state of security a big cause is the poor state of the security industry, in which most of the companies don’t know or care much about security. There is obviously role for journalism to shine light on how bad things are, but unfortunately they are often a part of the problem instead. For example, it seems like that the poor state of security journalism actually leads to some of the inaccurate and sometimes all together false research being put out by security companies, as sensational claims are more likely to get coverage from journalists and those journalist often don’t do any due diligence as to whether the claims have a basis in fact. So a security company could spend a lot of time doing real research and hope that it gets covered or they could skip the hard work and just make claims that are likely to pique the interest of journalists knowing that it is unlikely the journalists will look into the accuracy of the claims.
When it comes to the security of WordPress plugins we often see inflated claims about minor issues, while at the same time other issues that are serious issues don’t get coverage. Take for example a situation that we have been trying unsuccessfully for years to get fixed, where WordPress is refusing to warn people that they are using plugins that have been removed from the Plugin Directory due to security vulnerabilities. Considering that some of those plugins will never be fixed by the plugin’s developers and others are already being exploited when the plugin is removed, warning people is necessary and not doing it is leading to websites being hacked. At the same time you get overblown coverage of minor vulnerabilities that have already been fixed. A recent situation along those lines, shows that sometimes security journalists can actually be better than that, but that security journalism done by a security company can come in to keep the bad situation going. [Read more]