Schneier: Beware Security Products
A leading security expert has warned businesses to beware of buying shoddy security products.
Bruce Schneier, founder and chief technical officer of BT Counterpane, issued the warning at the RSA Conference Europe 2007 in London on Tuesday. He told delegates that they should not necessarily trust security vendors to give a fair representation of the security of those products.
"There might be a political bent to security decisions, or there might be a marketing bent," said Schneier, citing as an example people selling smart cards who "do a lot to convince us that smart cards are the answer to security problems. For every company that's secure, there's at least one 'me too.'"
Schneier said it was difficult for companies to judge the security of varying products because known attacks are relatively rare, making it hard to collect enough data for security-product evaluations.
"If events are high-damage and rare it's difficult to get data. I'm not going to know (the validity of a product) because I don't have the data. After 9/11 there was a huge inquiry into what went wrong, but it's hard to tell what went wrong because it was one event. There's not enough data," said Schneier.
"The (security) market is asymetrical--the seller knows a lot more than the buyer," said Schneier. "In the U.S., a lousy used car is called a lemon--but you don't know until you drive it off the lot that it's a lemon."
If marketed correctly, bad products can drive good products out of the market, Schneier warned.
"Products can have the same claims, the same algorithms, the same buzzwords, and one is very secure while the other is just slapped together. If there's no functional way to test a product, you'll buy the cheaper one," said Schneier.
Schneier said that due to market dynamics, good products tend to rise to the top, but that the market probably couldn't stop the incidence of rare events. He warned businesses not to get "caught up in the feeling of security, driven by fear, rather than the reality."
"Fundamentally, we are not rational," said Schneier. "The brain is just barely functioning in the security community. It's still in beta testing. There's weird holes and shortcuts, and all sorts of patches and work-arounds."
Businesses should evaluate security products very carefully, said Schneier, and find trusted individuals with expertise who can make security decisions within a company.
Eric Baize, senior director of the product security office of storage company EMC, agreed that there were both good- and bad-quality security products available.
"The law of statistics is such that in anything there are good- and bad-quality things," said Baize. "This applies to wine, food, and security products. There has been a lot of discussion about whether security should be added on to the infrastructure, or included as a core feature. Now in the security space companies are selling secure infrastructures."
Shannon Kellogg, director of information security policy for security company RSA, said that it was critical to build security into systems from the beginning.
"Building core security functionalities is absolutely critical," Kellogg said. "Systems in the past didn't have security functionalities, but it enables your company to do more. If your car has brakes, it enables you to go faster."
Tom Espiner of ZDNet UK reported from London.