Do we really need a security industry?'

The place for what's new and going on in the tech, innovation, and science world.
Post Reply
User avatar
Egaladeist
I am the Eg man : Coo Coo Ca Choo
Posts: 18908
Joined: Sun Dec 25, 2005 1:02 am
Location: Canada

Do we really need a security industry?'

Post: # 71063Post Egaladeist
Sat May 05, 2007 10:46 pm

Do we really need a security industry?'

"The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."

See what I mean so far? He’s right. Unassailably right, in fact. Go ahead and try to pick a fight with any sentence in that paragraph. . . . And he’s on a roll.

"Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn't help improve their security. Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the Internet becomes more secure."

http://www.networkworld.com/columnists/ ... ss-columns
Do we really need a security industry?' - Network World



User avatar
Vorlin
Taz's very own Fireman [RIP]
Posts: 2378
Joined: Fri Jun 16, 2006 3:48 pm
Are you a Spammer: No
Location: N. Augusta, SC
Contact:

Post: # 71065Post Vorlin
Sat May 05, 2007 11:23 pm

Initially, you're right. He's right. I've long thought that if programs were written properly the first time around in the sense that it does what it's supposed to do and nothing else and can't be utilized to launch attacks, spread through a network, abuse other known holes in other programs, the list goes on. The problem is, since the advent of programming (and we're going way back here), programs are written with the best of intentions but there's always flaws due to any number of reasons...the coder might be new at the language, they might have inherited someone else's work (and I hate that due to the rewrites), the deadline given might be too early for a correct job to be done so they do a quick-and-dirty (those suck) just to get it out the door, etc... On the same note of the Q&D, they might be forced to do that just because the powers-that-be are saying "We don't have time, get it out the door by Monday" or something similar (I've been on the receiving end of that).

There's a thousand reasons why a program might be insecure and/or unstable. Until programmers are given leeway to get the job done RIGHT (and dino can probably agree), we'll continue to have these myriad of problems. And let's not forget the user's role in all of this. You can hardcode a browser to not allow anything to be put onto the machine, even in cache, unless the user clicks on the "Yes, allow" button. Same with firewalls. What happens? Joe Blow user over there gets tired of seeing the same window pop up so he just clicks Yes every time. Security and such just got thrown aside. See where that's going? Until the writing of programs gets to where it needs to be AND your typical end-user actually starts wanting to avoid spyware/viruses/crashes/etc and LEARN about their machine, it'll never end.
In the world of protection, one thing is for sure: security = 1 / convenience.

Phate
Going out is soo last millenium
Posts: 234
Joined: Wed Mar 14, 2007 3:32 pm
Location: The Blue Nowhere
Contact:

Post: # 71072Post Phate
Sun May 06, 2007 12:23 am

It's not the fact that people just screw up their programs and write in a way that make it vulnerable, its the fact that its inevitable due to the rules of computation. Even the most efficient programs now that are flawless will be found vulnerable to something in the future, because as time goes on technology changes.

There will ALWAYS be a security industry.

User avatar
THE Doctor
Ex Und3rtak3r from OZ
Posts: 6583
Joined: Tue Dec 27, 2005 1:30 pm
Are you a Spammer: No

Post: # 71076Post THE Doctor
Sun May 06, 2007 12:39 am

Well most pc's are pretty damed secure until you do 2 things:
1/ connect them to networks, create shares and add printers
2/ Add users

or is that 4... what ever oh make that 5.. apply power
.. The trouble with life is there's no background music..

Remember Grasshopper: The original point and click interface was a Smith & Wesson.

User avatar
llama love
UtterTazNutter
Posts: 2971
Joined: Sat Aug 12, 2006 5:18 pm
Are you a Spammer: No
Location: Staffordshire, UK
Contact:

Post: # 71201Post llama love
Sun May 06, 2007 10:26 pm

IT products and services aren't naturally secure in the same way mains supply isn't natrually safe. Sure you can replace that plug socket with a blank face plate but how is that useful? As soon as you make a program complex enough to be of any real use it becomes complex enough to take a little more than a quick look down to ensure it is secure.

Complexity aside as what Vorlin said hinted at alot businesses don't make money out of secure applications, they make money out of functional applications, which then leads to even more complexity.

The quote just seems a little stupid to me, they may as well have said the reason people fall to death is because humans aren't naturally able to fly.

The phrase "No sh*t Sherlock" springs to mind

They then go on to helpfully point out that if viruses were ineffective there would be no need for antivirus software. Hummmm being real helpful there, I could never have come to that conclusion myself.

Needless to say with an introduction like that I didn't bother with the link. Did I miss out on anything?
Image

User avatar
Talen
What is RSI ......... REALLY
Posts: 391
Joined: Wed Mar 07, 2007 5:10 pm
Location: Northern California

Post: # 71738Post Talen
Wed May 09, 2007 3:54 am

Don't forget to factor in those occasions where two programs, both secure on their own, or at least reasonably so, when executed in a common environment suddenly behave unpredictably and introduce previously non-existent security holes and thus warranting the occasion for somewhat less than impressive run-on sentances a bored security specialist relaxing in a recliner after dinner reading a thread that probably belongs in a philosophy section for all the real merit it has.

:shock:
"No single raindrop believes it is to blame for the flood."

User avatar
Morganlefay
I've posted HOW many
Posts: 3718
Joined: Sun Jan 08, 2006 7:36 am
Are you a Spammer: No
Location: Avalon Canada

Post: # 71740Post Morganlefay
Wed May 09, 2007 4:30 am

thus warranting the occasion for somewhat less than impressive run-on sentances a bored security specialist relaxing in a recliner after dinner reading a thread that probably belongs in a philosophy section for all the real merit it has.
Catch??? :shock:


false sense of protection syndrome


MLF
A computer once beat me at chess, but it was no match for me at kickboxing.

User avatar
Aspman
Frustrated Mad Scientist
Posts: 8864
Joined: Mon Jan 09, 2006 10:07 am
Location: Scotland

Post: # 71770Post Aspman
Wed May 09, 2007 9:02 am

Yeah that is Catch-like.

The real reason there will always be a security industry.

People. People write the programs, people install them and people use them.

People are dumb, lazy and vindictive.

Infosec is all about people from inception to deletion.
"Man will never be free until the last king is strangled with the entrails of the last priest."
- Denis Diderot (1713-1784)

Post Reply