Steal These Ideas: 5 Security Experts' Tips and Techniques

By John McCormick
Baseline
May 15, 2006

Excerpt

1 - Would a more proactive approach to security—working to ensure that stronger software security is built into applications—work any better than the reactive approaches, such as patches and external software safeguards?

Of course. It's the only possible approach. The notion that we can write lousy software, throw it out into the world and then patch it later has failed. It doesn't work. We need to write more secure software from the beginning.

2 - How satisfied do you think corporate CIOs and CSOs are with the effort their software vendors are putting into delivering more secure products? Do you see the quality of the security built into software products getting better or worse?

Most software vendors aren't putting much effort into delivering more secure products, so I hope CSOs are unsatisfied.

It's a slow process. Five years ago, Microsoft made a commitment to more security in their products, and we're just now seeing significant improvements from that. And they've got a long way to go.

My hope is that CSOs force software vendors to take security more seriously.

It's always easier to write a press release than to change engineering practices, and unless there is market pressure, software vendors will continue to do that.

3 - Do you think computer attacks are getting more sophisticated or less sophisticated? Why?

Computer attacks are getting more sophisticated, of course. Everything about computers is always getting more sophisticated—CPUs, operating systems, networks, e-mail, word processors—and computer attacks are no exception.

4 - Do corporations today have the financial and human resources they need to protect their computing environments?

Corporations certainly have the financial resources; it's just a question of proper risk management.

I have long thought that corporations are spending about the right amount of money on security, but they're spending it very badly.

Human resources are a much bigger problem, but that's why security outsourcing is such a big business these days. Corporations need to learn to outsource the skills they don't have internally.

5 What are the top two or three things a modern enterprise can do to properly manage security risk?

The first is to understand the risks, to pay attention. Network security is a business risk, and needs to be treated as such.

And the second is to work to mitigate that risk. These are general recommendations instead of specific ones, but that's the way it should be. Network technologies are all the same, but business risks are specific to the business. And look to Managed Security Services companies for the expertise you don't have.

earlier story: 2006 Dr. Dobb's Journal Excellence in Programming Award
later story: Channeling Common Sense
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..