Do We Really Need a Security Industry?

Fri, 04 May 2007 09:20:40 GMT

I couldn't believe my eyes when I saw Schneier's latest post. With all my respect, I think that he tried to say something but eventually came up with something else that sounds horribly wrong. I usually don't get into flame wars from obvious and quite practical reasons, but here I would like to share my view on the matter. I will break down the entire post into separate Q&A section so it is easier to comprehend.

Will I be secure if the software is written with security in mind?

No! No matter how secure software is, it can be broken into. Forget about buffer overflows and injection issues. Think of being legitimate. The easiest way to break into someone's computer is to try combination of various usernames and passwords. The cracking could be harder, but not impossible.

Will software be ever secure?

No! The further we go the more insecure software will become. Have a look around you. What do you see? I see hundreds of companies which are getting their products out in just a couple of weeks of hardcore, agile development. Today software vendors have to be agile in order to win the race. They will produce even more software for less time. That, in general, leads to a lot of errors. Software vendors know that bugs exist and they already have PR strategies to tackle them when they are discovered.

Is it possible for one vendor to solve all security problems?

No! Since Schneier is mentioning BT, let's take them as an example. BT might be able to stop the majority of attacks that target their networks, however, they will stop only the script kiddies. If the attackers are determined enough, they will be able to bypass what ever restriction are on place. Do not ever thing that BT will handle the security for you. Think about it! Does your government handle the security of your house? There are laws to prevent the majority of crimes but there is nothing that can stop someone from breaking into your house and trash it completely.

Do We Really Need a Security Industry?

Yes! I know that. You should know that. Everyone should know that. If you believe that you are secure out of the box... come on... get real. This is madness. Nothing has changed since the beginning of humanity. Nothing will change until our end. Physical and IT security are quite similar by nature. I don't think that we are going to get rid of the police and other public institutions ever. Why would it be any different for the IT industry?

This is all I have to say. I know that I sound a bit like a mad man but to me Schneier's statement that "we don't need IT security industry if software is secure out of the box" is against my way of thought. I find his statement amusing but at the same time quite dangerous. Schneier is a well known opinion maker and as such he should be careful with the ideas he is feeding into the media. We still love you Bruce.

AodhhanAodhhan
First time I've heard of him. After reading his column I know why. He obviously lacks any detailed education with tcp/ip, software development/reverse engineering, defense in depth, and the all powerful malicious insider. ...Or perhaps he was drinking.
David KierznowskiDavid Kierznowski
In most cases all these things come down to money and not ethics - this is what I picked up from Bruce's post. The major driving force behind security has always been fear. Why install alarms around your house, because it looks pretty? The security industry thrives and booms on fear. What if my company website looks bad after being defaced? what if our customers information is disclosed to the Internet? What if corporate and government secrets are stolen? What drives the fear? Ultimately I belive its money in the form of credibility. If this makes us look bad we lose customers and therefore lose money. As long as there are bad guys doing bad things, the security industry will be around. If they really wanted to hinder progress, they shouldn't do anything at all and be patient.
GarGar
Let me be the devil's advocate here. What is wrong with the security industry is that much of it - think antiviruses - tries to mitigate problems that happened. Now there is a very good reason for that: pointy-haired bosses are blissfully unaware of how secure their products are, and are therefore unable to wisely spend money on their own products' security. But they will have problems, and they will spend a pot of money in trying to fix the problems once they are discovered. I don't know if our economy (market forces, whatever) will be able to head into the distant future Schneier describes, where the security industry can't be told apart from the software industry. Still, I'd consider the security industry a failure if it doesn't happen.
pdppdp
Gar, here is an interesting though for you...
Security is a process not a destination.