Do We Really Need a Security Industry?

Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren't IT products and services naturally secure, and what would it mean for the industry if they were?

I mentioned this in an interview with Silicon.com, and the published article seems to have caused a bit of a stir. Rather than letting people wonder what I really meant, I thought I should explain.

The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.

Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn't help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure.

Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the internet. Initially we'd still be spending a comparable amount of money per year on security -- on secure development practices, on embedded security and so on -- but some of that money would be going into improving the quality of the IT products we're buying, and would reduce the amount we spend on security in future years.

I know this is a utopian vision that I probably won't see in my lifetime, but the IT services market is pushing us in this direction. As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies. Service customers -- whether home users or multinational corporations -- care less and less about the specifics of security technologies, and increasingly expect their IT to be integrally secure.

Eight years ago, I formed Counterpane Internet Security on the premise that end users (big corporate users, in this case) really don't want to have to deal with network security. They want to fly airplanes, produce pharmaceuticals or do whatever their core business is. They don't want to hire the expertise to monitor their network security, and will gladly farm it out to a company that can do it for them. We provided an array of services that took day-to-day security out of the hands of our customers: security monitoring, security-device management, incident response. Security was something our customers purchased, but they purchased results, not details.

Last year BT bought Counterpane, further embedding network security services into the IT infrastructure. BT has customers that don't want to deal with network management at all; they just want it to work. They want the internet to be like the phone network, or the power grid, or the water system; they want it to be a utility. For these customers, security isn't even something they purchase: It's one small part of a larger IT services deal. It's the same reason IBM bought ISS: to be able to have a more integrated solution to sell to customers.

This is where the IT industry is headed, and when it gets there, there'll be no point in user conferences like Infosec and RSA. They won't go away; they'll simply become industry conferences. If you want to measure progress, look at the demographics of these conferences. A shift toward infrastructure-geared attendees is a measure of success.

Of course, security products won't disappear -- at least, not in my lifetime. There'll still be firewalls, antivirus software and everything else. There'll still be startup companies developing clever and innovative security technologies. But the end user won't care about them. They'll be embedded within the services sold by large IT outsourcing companies like BT, EDS and IBM, or ISPs like EarthLink and Comcast. Or they'll be a check-box item somewhere in the core switch.

IT security is getting harder -- increasing complexity is largely to blame -- and the need for aftermarket security products isn't disappearing anytime soon. But there's no earthly reason why users need to know what an intrusion-detection system with stateful protocol analysis is, or why it's helpful in spotting SQL injection attacks. The whole IT security industry is an accident -- an artifact of how the computer industry developed. As IT fades into the background and becomes just another utility, users will simply expect it to work -- and the details of how it works won't matter.

This was my 41st essay for Wired.com.

EDITED TO ADD (5/3): Commentary.

EDITED TO ADD (5/4): More commentary.

EDITED TO ADD (5/10): More commentary.

Posted on May 3, 2007 at 10:09 AM • 45 Comments

Comments

Pat CahalanMay 3, 2007 10:46 AM

I agree that the "IT as a Utility" meme is actually the correct one for core services, and that large corporations (and in the longer run even SMBs) are following the pattern of contracting for services rather than deploying their own. It simply makes better business sense -> a high end IT professional specializing in domain security or network engineering is too expensive an asset to maintain unless your core business is security or networking.

There is a break between "IT as Utility" and "Innovation as Business Value", however. Innovation in IT is going to be a big mover in business for some time, and trying to take a utility approach to everything IT is going to be disadvantageous, unless you're very careful about who you partner with for your IT services :)

On a more basic level, people still want their computers to do everything. As long as you're not willing to make something a utility (by limiting what it can and should do in return for a higher QoS on what it actually does do), you can't treat it like one.

Rambling a bit there, but essentially I agree with you, Bruce... this is where we're going, we're not going to get there anytime soon, but it does make a lot more sense than what we do now.

Bigger OfcomMay 3, 2007 11:18 AM

Actually what BT customers want is to be billed correctly, and not in a letter saying "pay X by tomorrow or be charged extra".

I've saved the last couple of these and hope everybody else will do the same. The resulting flurry of cases in MoneyClaimOnline should be interesting.

False DataMay 3, 2007 11:34 AM

So far, software engineering has tackled increasing complexity in code by applying engineering methodologies that reduce the number of interacting components. For instance, compared to unstructured code, structured programming cut back the number of interacting parts by confining state information to local variables within subroutines and by encouraging standardized control structures. I wonder if the same approach would work in the IT security arena. I'm thinking of something that goes beyond best practices or admonishments not to use scanf("%s"), something more like the paradigm shift in design practice that comes with the change from unstructured code to structured programming, or from structured programming to object oriented programming, possibly coupled with new programming languages, design tools, and network designs that would support it. Would such a technique help? And, if it would, do we know enough about the underlying theory of IT security to create it?

John H. DykstraMay 3, 2007 11:39 AM

Bruce, you think things should be secure out of the box, but nothing being produced today is - the closest in production is OpenBSD, and it still has security issues. Do you have any desires to try and get down and dirty in your own software development or are you just hoping someone will step up and do things better?

And which operating system do you use anyways? I don't recall reading what you're using these days.

BasilMay 3, 2007 12:16 PM

The security of a system is depends (in addition to many other variables) on its complexity.

As a system becomes larger and more complicated, the potential for unintended access increases exponentially. No matter how hard people try to make a product secure from the start and keep it that way, every layer of complexity could add holes. Aftermarket security and patches will always be around. I agree that it may become more of a service provider industry, but there will always be people using complicated systems for a simple purpose (like a desktop computer running a gui based OS for email and web browsing), and that means that anti-virus and firewall products will always be sold.

merkelcellcancerMay 3, 2007 12:49 PM

Nothing has changed since I saw my first Peter Norton logo and face on a security product in the late 80's.

Bruce SchneierMay 3, 2007 12:54 PM

"Nothing has changed since I saw my first Peter Norton logo and face on a security product in the late 80's."

And nothing will change until you can sue that guy's ass if his security products don't work.

DeweyMay 3, 2007 1:01 PM

I don't think that security will become inherent until the mindset of the user base changes.

People seem willing to "take their chances" far too often. That mindset far pre-dates the computer age and I think will last for a long, long time.

Of course, many of todays issues will be solved problems in the future, but I'm sure that the desire for "just a bit better" will continue to out pace "just a bit safer" unless something catastrophic happens to the human race.

I do think that general security will improve. In fact, we're already seeing it. Currently we still deal with the lowest level protocols designed by people trying to get something new to work, not trying to design a utility. Over time the developer base will change and you won't find a technologist who isn't at least aware of security -- that, of course, doesn't mean they won't cut corners, just that they'll be aware of the corners they cut. It will change the way we think about security and probably reduce the egregious violations (e.g. the FTP protocol) and we will be able to take certain things for granted (perhaps DDoS will be a thing of the past) but better will still beat safer.

krisMay 3, 2007 1:46 PM

Fully agree in products with built-in security as it saves in total costs.

AnthonyMay 3, 2007 1:52 PM

Bruce, in your line of thoughts - if we don't need a security industry then I wouldn't be posting this comment at *this" blog. You forget a core principle however - usability vs security. If you start building a product with the idea to be secure right from the very beginning you'll fall a victim into the UTOPIA that security is possible, even worse, start preaching it. Companies aren't supposed to ship products with security in mind simply because they're not in the business of security. They build them, see how the market and hackers reach and catch up with them. If there's a company to sued however that shouldn't be your anti virus vendor but Microsoft whose mistakes developed the entire security industry, I'm sure you're aware of that.

Marginal thinking fully applies here, and best of all - companies should focus on growth not security as the world doesn't orbit around security issues only but capitalism and increasing profit margins based on perceived value of a service/product. That's the reality no matter we lke it not.

funkyjMay 3, 2007 2:03 PM

speaking of wanting it to just work, here is my personal horror story:

I started buying NAV because it was what they used at work. I am "the IT guy" for my parents and, to a lesser extent, my siblings.

Over the course of the last few years every time one of us has tried to upgrade NAV there has been a licensing problem.

The last time was December 2006. I bought a new 1 year license for my household but when I installed it the licensing went haywire and insisted my subscription was still expired. Final result? I've given up and I'm simply running with old virus definitions.

Sure, I should call Symantec and get them to fix the problem or, at the very least, give me my money back but what I value even more than the money I paid is my time. I simply do not have the time to waste sitting on hold as the n-th support guy hands my case off to the n+1 support guy. I want it to just work damn it.

One thing is certain: I'm never buying a symantec product ever again. I suspect the other anti-virus vendors are not any better about licensing which is why I have simply given up.

SIDEBAR: A while back, out of paranoia, I bought a cheap laptop that I use for my online banking stuff and nothing else.

I do keep all of my WindowsXP boxes updated with the latest patches (because this "just works") but that is the extent of my security.

FooDooHackedYouMay 3, 2007 2:18 PM

The fundamental problem is human nature. The fact is that people make poor decisions and attempt to hack software, systems, physical security, etc... This will not stop no matter what the software industry does. People will find a way to break something. It would be nice if we lived in a utopia where we were all nice to each other but that's not reality nor will it ever be... Thus the reason the security industry exists and will forever continue to exist in one fashion or another.

PeripateticMay 3, 2007 4:05 PM

"The whole IT security industry is an accident -- an artifact of how the computer industry developed."

I think it was no accident and the computer industry is in no way unique in its development with regards to security.

First of all, between usefulness and security, security is a distant second in importance for most products and services. For anything that's sufficiently useful, people will put up with the security problems and try to work around them the best they can. So any new industry is going to be laser-focused on usefulness or it'll never develop into an old industry.

Second, every industry that has a security component has a corresponding security industry. Take the home-building industry. 10,000+ years in the business and the basic home has hardly added any new security features. There's also a pretty big home security industry that's very much not in the background, especially if your security system is of the canine variety. Or how about the banking industry. It's true that we don't have to form up posses to go after bank robbers any more, but the customers are now worrying about phishing, check fraud, ATM skimming and still dealing with security on a daily basis. Shouldn't security worries have faded into the background after 2,000 years of banking?

If an industry needs security in the first place, then the end users will always have to worry about it. Because if they don't, then all the other security systems would be worthless. And as long as end users have to worry about security, there'll be a security industry there to sell them things that will let them worry just a little bit less.

RoxanneMay 3, 2007 5:37 PM

Side query: If you've written 41 (!) articles for Wired, does that make you a 'regular contributor' or an 'occasional columnist'? How long will it be until you get a monthly column?

AnonymousMay 3, 2007 8:53 PM

Replace "IT" and "IT security" with "automotive" and you can see some interesting parallels.

Early automobiles were ramshackle and unsafe. There were countless small vendors. The roads were designed for very different modes (horse and wagon).

The evolution of safety, reliability, etc. took a long time. So did ubiquity, infrastructure (i.e. roadway technologies), etc.

And note that one of the forces driving safety, reliability, roadway technology, etc. was govt regulation. It's also interesting that in some cases, initial regulatory forces rapidly evolved into consumer checkpoints. For example, you now have cars competing on safety ratings, number and quality of airbags, etc. So while it took regulation to start forcing those features into cars, it's now largely self-sustaining. Evidence of that is the difficulty in selling used but still-reliable cars that don't have airbags. The units with airbags command higher prices.

LouisMay 3, 2007 10:06 PM

Most buildings/houses are sold with locks on door and there is definately a history behind the construction industry. Make that centuries of it...

Yet, no one will sue an architect or a contractor because a thief managed to enter the building and steal something. And while building security evolves, thiefs are also getting better at it. Conclusion: theft will most likely never disappear, there will always be a need for physical security.

And furthermore, this industry (and their lobbyists) will never abide to the idea that you can sue them over such facts. It is not their purpose to secure, get help.

My understanding, based on this, is that the two industries (IT software makers and IT security enablers) are symbiotic and will never cease to co-exist. One is the natural complement of the other, to a point where having the former without the latter will get you laughed at (private-held Co) or scolded (publicly-held Co).

This will not change. At least for a long while...

Whether society will push IT into commodity is another story, and I don't think security will be a driving factor, rather a mere added-value.
I do believe some businesses, big or small, will never agree to spend the money to knowingly pay for both sides.

That's why MS sells a firewall and an AV now.

GrahameMay 4, 2007 12:09 AM

Fully disagree that products with built in security will be cheaper, because I have an idea how much it would cost to produce them. If I offer you you windows, with it's awesome functionality spread for maybe a thousand dollars maximum (with security add-ons included), or My_Secure_OS which has no extras and only a few network services but is provably secure, and costs about a million dollars, which will you buy? Does the fact that you sue me if My_Secure_OS turns out to be insecure change your decision?

I'd use OpenBSD (do for firewalls), but, well, it doesn't run the applications I need to run....

anonymoustrollMay 4, 2007 5:50 AM

Even utilities need security; the electric company monitors for abnormal usage, water utilities spend a lot of money finding/fixing leaks in their lines and even airplane companies have to worry about black market parts.

...yes, I know you think you're primarily talking about data communications security... but what you're *really* talking about is information security. Information is the one common thing that links all industries.

...and information is most certainly *NOT* a utility.

The assumption of "Do We Really Need a Security Industry?" is that the information an industry functions under is not worth obtaining.... and I don't know of many companies in that situation (and certainly none that could afford your services).

boris kolarMay 4, 2007 7:18 AM

You really can't compare utility services like electricity with software. Electricity has one or two uses (to power things, to start chemical reactions, anything else?), while software has infinite layers of applicability. The best you can do is to move insecurity a few layers up.

I often compare security vulnerabilities with bugs. Every software that has bugs also (extremely likely) has security vulnerabilities. You could say that when a bug is found, it's (almost) a definitive proof that software is not yet secure.

The best we can do, is to push insecurity to upper layers. First step: make kernel invulnerable (and consequently simple, small, and bug-free). It's doable if kernel is actually microkernel/hypervisor with just a few thousand lines of code. Then make virtualization secure (also doable). You still won't have secure system, but at least you could isolate different "islands" of insecurity. And that's the best you can ever hope for.

H.C.D.May 4, 2007 7:19 AM

I find it hard to believe that the security industry, for the most part, was an accident. Companies like Symantec and McAfee rely on viruses and worms to be a problem for their products to sell. Is it hard to believe that perhaps, in some cases, they might be creating the problems (viruses & worms) so that they can stay viable?

What's considered highly secure today may not be secure tomorrow. There was a time when DES encryption was all you needed. No longer. As computers & processors get faster and faster, it will be easier to crack encryption. Security is an arms race and by no means is it going away unless we start over from scratch on how computers & networks are built, how they operate, and how they talk to each other.

PolRMay 4, 2007 7:52 AM

I think this argument is overstated. If all knives couldn't cut meat, we wouldn't have to worry about cutting ourselves when cooking and murderers using knives. Sometimes you need to allow the capability to do damage to get a useful tool. For example if computers can send traffic, they can be used for DDoS.

Another but different reason can be found in the SSL accelerators market. It is not that the web servers lack SSL, it is that when a site carry over a certain volume of traffic, moving the SSL function on a dedicated box is a better design.

That being said, I agree that much of the current security industry exist because the base IT product is inheritently insecure when it does not need to. I just wanted to point out that the gap between "much" and "all" of the security industry can't be ignored.

DanMay 4, 2007 8:18 AM

Bruce, I agree that security needs to be built in. Without a doubt, insecure software is the source of all the problems.

However, the complexity of software today makes secure software statistically impossible. So, we will ALWAYS have insecure software, there's just no way around it. Maybe we can get to software 100x more secure than it is today. I think we can, and someday will (in my lifetime? Maybe not...)

Will all that being said, even if we did have software that was "secure", as a security professional, I would still buy firewalls, etc, because I want to have security in depth. I don't want to rely solely on my core software being "secure".

I'm surprised you overlooked such a basic security principle as security in depth. I suspect you did so intentionally to help give weight to your point, but I think it detracts from the argument's credibility. Maybe some things would go away with secure software, but much would stay the same.

SteveBMay 4, 2007 8:50 AM

If I want to escape reality, I'll ride with you.

Out of the box security sounds great theoretically, ff there were no one interested in stealing our assets in some underhandedl way. We could even keep our doors unlocked. How's that for escaping reality?

We would never read about the variations on a theme or even innovations made by theives to penetrate a supposidly secure systems. I won't even mention the security breaches that occur internally from some employee who feels, for whatever reason, they are entitled.

Talk about out of the box solutions, let's go one step further. It's called when you are born being raised by your family to know what is right and what is wrong. But the reality is unfortunately clear. Our society and our world have some bad people in it. To survive ONGOING (after the box) security is a must.

Whatever security is in place, we will always be on a mission to continue to proact anticipating that our hard earned assets are too valuable and continue to need ongoing protection as conditions change.

KevinMay 4, 2007 8:55 AM

I am sorry but I don't agree with much of the premise of this article and, in some respects, it buys in to one of the greatest problems I see in the security industry. I agree that the glut of security product vendors is a problem but not exactly for the reasons cited in this article. When I talk about security my conversation always addresses people and process before technology. I look at business process and the criticality of that process to the bottom line. I then look at the data or information that supports that process to determine what unauthorized disclosure, alteration or destruction of that data would mean. Next I look at the controls needed to reduce that risk to an acceptable level. Most of these controls start off operational in nature to include training, oversight, etc. Finally, I look to make these controls more effective or more efficient by implementing technology.

As I see it, many organizations today have signed up for the "security via technology" program. They view security to equal buying techno-gizmos and that view is encouraged, for obvious reasons, by security vendors.

People have been combating security threats since the beginning of time. The field of "information security" is simply a variation on the same themes. I believe it will never go away. If bad network traffic could not be used to attack computers and if computers were secure against malware we would still have users. Those users would still send threatening or harassing email. Those users would still use their access for personal gain. Those users would still be subject to bribery and intimidation. Until we can create the Utopian user there will always be the need for a security industry.

BenMay 4, 2007 9:34 AM

Sorry old boy, but I think you've cracked. Your comments here are so contradictory that it's mindboggling. Aren't you the one who says we can't anticipate all eventualities? How then could you conceive of products that are perfectly secure? Frankly, I think I remember you saying that there was no such thing as "perfect security."

And, btw, what's wrong with having security-specific tools, like firewalls, IDS/IPS, etc.? Over the history of computing, we've seen cycles through distributed and centralized approaches. To me, using specialty tools is a similarly cyclical trend. Also, it allows one to depart from the "if all you have is a hammer, then everything looks like a nail" approach. There are good reasons for specialty tools.

Lastly, you seem to completely overlook that security integration with products would still require a security industry -- just one that would be more professional services oriented than tools/products oriented.

Overall, I think you've finally lost it. Sorry to see, you've been such a reliable source for insights over the years.

Brandon FoutsMay 4, 2007 10:31 AM

Netware actually had/has security designed in. Like BSD, I guess, you read of very few security problems - IF you don't run MS network client, NetBIOS, SMB - which you don't need for the internet anyway. Just use Novell network client. And Novell login/password systems are very secure. Always have been.

And AppArmor for Linux looks like a big part of the security solution to me. A white list that only allows what you trained it to allow. Anything not on this white list - doesn't run. This is per application, so it isn't auto-magical. But you really should check it out.

Pat CahalanMay 4, 2007 12:48 PM

I think some of the commentators here are taking the column out of context (where the context == everything the Bruce has written about security).

He's not saying that we'll live in a secure world if primary vendors just write secure software. He's saying that the current method of making things more secure is broken -> we tack security onto base products by purchasing additional products, but this removes the incentive for the base product to ever get better.

There's a pretty massive difference between "out of the box" security (which I agree isn't feasible) and "out of the box" insecurity (which I think we can all agree is what we have now).

MikeMay 4, 2007 2:44 PM

I agree that it is time to abolish the entire infosec industry and its corrupt protection racket. How can it even be legal for an industry to exist that only sells 'solutions' to the exact imaginary problems it invents?

The entire computer security industry is unethical and should be recognized as the anti-social criminal mafia that it is.

Marko @OUSPGMay 4, 2007 2:46 PM

I couldn't agree more with Bruce's observations and analysis.

What is even more ironic is that from our (OUSPG) perspective reactive security products (just) add to the attack surface. Average quality of AV, IDS, IPS, FW, UTM, ... products doesn't appear to stand out from software industry in general. We are frustrated to see vulnerabilities in these products themselves, especially taken that they are running with highest possible privileges (at minimum) where there is something to protect.

Poor quality and increasing complexity is a dangeroous mix.

Please keep up the good work in waking up the people. :)

ZTZMay 4, 2007 4:44 PM

I would agree with 'mike', the security industry has declined into nothing more than a legal and highly developed extortion and racketeering 'profession' . Exploits are FREQUENTLY released 0-day without notifying the vendor beforehand, even some of the most 'respected' people in security do this frequently. This is easy money, You give a bunch of mindless, talentless script kiddies who idolize mafiaboy and kevin rose a powerful exploit, and money seems to roll in, Like I stated earlier, It amounts to nothing but extortion.

RJDMay 5, 2007 10:59 AM

Yes, but ... I heard this pitch a decade ago about firewalls. The firewall approach was said to create a hard crunchy outside to protect a soft and tender inner network. With a metaphor like that, of course the "ideal" was a hardened network everywhere with no need for the firewall. [Ok, I did sort of sucker into that for awhile, after all it was promulgated by the then leader in that field. He may still be at it for all I know or care.] Well, most network deployments did improve (relatively), and now we know firewalls are integral part of being crunchy. QED-not. That all software will become embedded and invisible is another of those awful, highly irritating, misleading and very false cliches, but one with a lot longer life. The fly in the ointment is that organizations and individuals CREATE their own software, even if it simply requires "configuration" or adding domain specific (aka business) rules, but typically for organizations at least requires much, much more. [See Phillip Armour on software as the automation of knowledge, note that some knowledge is meant to be exposed. QED for real.] Bruce has it backwards and to be fair, also knows better; every developer must now step up to the plate and understand that for every functionality they introduce they also provide new vulnerabilities and new paths for attacks that are literally unimaginable at the present moment (plus a bunch that are!). We live in a world of intended functionality versus unintended anti-functionality, i.e. anything additional that was not wanted and especially what undermines what was desired. Yes, in the end, software is all about the satisfaction of desires. The common heuristic is use case versus abuse case. It is the independent software expert who may be endangered and it would be good riddance to that. Unfortunately those claims are just as wishfully false as invisible software. Except if we flood the market enough, we can pretty much make the "independent" element an extinct species.

Danny LiebermanMay 6, 2007 9:10 AM

By focusing on vulnerabilities and ignoring valuable assets and alternative countermeasure strategies, Bruce is looking at only part of the risk equation:

Risk =
Asset Value X Threats x Vulnerabilities x Countermeasures

Although we cannot control the threats we can leverage the free market economy of IT security products to our advantage by selecting and implementing the MOST COST-EFFECTIVE countermeasures to reduce the risk equation. Instead of buying a Web application firewall - it may be 1/3 cheaper to fix the bugs in your web app - and even if quality isnt free - at least you're not paying Symantec 20% a year for maintenance.

See my post at http://www.software.co.il/blog/2007/05/...

supersnailMay 8, 2007 4:14 AM

I bothe agree and disagree with Bruce here!
I use computers at home and at work.

I totaly agree with Bruce that consumer and small business PCs should be adequately secure "out of the box", at home I believe my windows PC to be secure -- after spending some 100 Euros and installing several software packages -- but the security software uses more CPU time than I do! Considering this machine holds a Christmas card list and some photos this seems an excessive investment in security. My other machine runs a vanilla Linux varient and I hope it is secure but I have no way of verifying this -- I am not sure whether the number and frequency of security updates is a good or bad sign.

However at work I would have to disagree with Bruce. I work at an international financial organisation where the amounts of money involved and high levels of secrecy are required. Every piece of the system to be secure, no off the shelf product installed with defaults could ever acheive this level of security.
We do not purchase door locks from "Bobs Hardware" and have an intern duplicate the keys at the shopping mall! Instead various locks are evaluated and tested, the procedures for installation are defined and followed, similarly, the issuing and duplication of keys follow rigorous procedures which leave an audit trail of who has which key.
Similar procedures also apply to the puchase and installation of hardware and software and hopefully always will.

JohnJMay 14, 2007 10:55 AM

I think the Information Security industry is here for the long haul. However, if we allow that hardware & software products will evolve towards a state of being fairly secure out of the box, the nature of our industry will change and eventually split into two main focus areas:
1. Secure product development. This would be specialists who work on development & QA teams to ensure the 'default security' is in the product and is kept up to date to handle the ever evolving threat landscape.
2. Security administration. This will be the management branch that focuses on configuration, policy, audit, and compliance. Regardless of the security capabilities of the products, there are still non-technology issues as well as processes and people that require oversight.

Neil DaswaniMay 16, 2007 12:00 PM

I've been enjoying (and loving) CRYPTO-GRAM for years! Applying your argument to programmers, writing secure code could be part of every programmer's job, and we hopefully shouldn't need so many "software security" experts in some hopefully not-too-far future. The goal would be to, as per your suggestion, "make IT products and services naturally secure out of the box." Of course, we may potentially need a few specialists to advance the "state-of-the-art," but largely I'd love to see safety and security be a regular part of every software engineer's job.

To help make a contribution to move the world in that direction, I co-authored a book entitled "Foundations of Security: What Every Programmer Needs To Know" (see http://tinyurl.com/33xs6g) after I finished my doctoral degree from Stanford. I hope that the book can help give software engineers the mindset and skills to write secure code as part of their everyday jobs.

Sincerely,

Neil Daswani
http://www.neildaswani.com/

secguyJune 11, 2007 3:36 PM

What I Hate is a compliance telling me what I have to follow to be secured.

Example: PCI DSS

I have to buy many products because the standard says I have to.

Example:

A/V, spyware on POS….

Why the heck do I need this on a POS? The POS has no access out to the internet like mail or http… It only has the one APP. That comes up for POS activities… granted most POS now is XP based.

balaji kApril 25, 2008 11:05 AM

which is the best course in corporate security industry and which course is the value in now days

B.MAugust 5, 2008 7:46 PM

I agree that we really need a security industry but wouldnt it will shift towards globalisation with trusted computing concepts where only one organisation is driving and responsible for the whole process? There wouldn't be any check or poiting fingers, if there will be , they will be ignored could be intentionaly.

ioniqSeptember 11, 2008 9:48 AM

Different buyers of software need different levels of security. So why should they pay for security already included in the application. It's better for them to buy the basic version and them add on to it security of any other add-on they want and pay exactly for what they have bought.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..