RSS
Twitter
The End Of The Security Industry Not So Unrealistic
from the gone-tomorrow dept
Last week, security expert Bruce Schneier caused a bit of a stir when he said that there shouldn't be a security industry. While his comment engendered a lot of debate, it really wasn't a particularly radical statement. As he's made clear in his latest Wired column, all he meant was that IT vendors should be building security directly into their products, rather than requiring customers to purchase security products and services separately. However, even this isn't a particularly strong stance, because it reflects what is already happening in the industry. Microsoft has received a lot of attention for its aggressive security push, while companies like Cisco, IBM and EMC have made a number of security-related purchases. Few expect this trend to abate, as many see a dour future for standalone security firms. Still, there will always be a need for specialized work in areas like malware and intrusion detection, so it's not clear that the tangible effects of this shift will be that significant.
Reader Comments
(Flattened / Threaded)
...so basically, you ripped this off of Wired.
(reply to this comment) (link to this comment)
I hate all anti-virus software anyways.
(reply to this comment) (link to this comment)
One reason we have a security industry:
Third party security often costs more than whatever is actually being secured, the people that spend that kind of money will be happy to have a secure product by default.
However, there's an even larger number of people who want to buy a piece of software for $1000, and are content with it being insecure at that cost. They would not be willing to spend $2000 on the same piece of "secure" software.
Large corporations that need maximum security would benefit from this, however small startup companies and individual users would have a huge price tag to pay for it.
(reply to this comment) (link to this comment)
I don't understand what you writing
Definitely Bruce Schneier is an expert in the field of security. I don't understand what you wanted to convey.
All the efforts you mentioned are only eye wash, the
companies like M$, IBM etc are not really implementing
security.
(reply to this comment) (link to this comment)
Not only is it needed, it's the only IT-related field with any job security left.
The vast majority of 1st-level support remote-admin jobs are already outsourced overseas. That leaves grunt-level break/fix duties for those lucky enough to find them, and even their days are numbered. 5-10 years ago it made perfect sense to pay a technician $30-40/hr to repair/maintain your $2500 computer, but how much sense does it make when today's equivalent only costs $400? How long before that box is in the "disposable" range (sub-$100)? Maybe 3-4 years?
InfoSec, however, will always remain local. No threat of obsolescence either, at least in the sense that there will always be a demand.
(reply to this comment) (link to this comment)
The computer security industry isn't going anywhere.
The expertise is required by companies to implement secure software.
'Security software' has always been useless and has been surviving by creating FUD, hopefully more people will notice this.
(reply to this comment) (link to this comment)
security is not a product
Joe, agreed. The point is that security is not only a technological problem and therefore cannot be a mere bolt-on for a product. To 'build security into products' doesn't mean to 'bundle' it with an existing product as a security feature but to design them as secure in the first place. It is a shift in attitude not just pricing or product sales.
(reply to this comment) (link to this comment)
Security is a myth
The best you can hope for is to make breaching it more trouble than it is worth.
(reply to this comment) (link to this comment)
Re: Security is a myth
If you build security into your computer system from the hardware up, it is possible to make your system almost perfectly air-tight. The last time I checked (around 2001 or so), there had never been a successful "hack" attack on an IBM AS/400. There had been successful break-ins, but they all involved social engineering, thus highlighting the fact that the main reason that computers are insecure is the same reason that anything is insecure. People.
(reply to this comment) (link to this comment)
Not Exactly
What Bruce has really been trying to say all along is that the IT security industry exists because makers of software are not held accountable for the failings of their systems. There is not enough economic incentive to code secure software. Everybody patches and everybody has security breaches, so anymore there is no real incentive for a company to try and avoid such things.
Bruce has been pushing for software makers to be liable for insecure software they produce, following his concept of security externalities. I think that is the best thing we could do to make the internet more secure and efficient. Software makers would scream and complain, but they would figure out how to make it work and consumers would learn to accept longer development times.
When we put our efforts into preventing, rather than reacting to security problems, the market is more efficient and in the end everybody wins.
(reply to this comment) (link to this comment)
"Living" Security
The thought of building software securely is great, but as long as you have people determined to cause damage and circumvent security you need a seperate entity providing security for your box. Something thats sole purpose is to block remove search for threats, with this built in sure it can be updated from the manufacturer but its not as efficient as having a piece of hardware or software whose sole purpose is security. Nothing can ever be 100% secure you can only make it difficult so that you minimize threats you can never truly "eliminate" threats to security.
(reply to this comment) (link to this comment)
security = music
I just realized I feel similar about the security industry as I do about the music industry. Security really ought to be bundled to something else. I personally have zero desire to enter the security industry and will probably do as this article suggested: I will implement my own security measures into my software packages.
The only virus I have ever received was through Windows Media Player... ironic considering I never use that program. Now, I'm a whole OS away from that thing... ^_^
(reply to this comment) (link to this comment)
Security isn't a function of technology
While I have the upmost respect for Bruce Schneier and agree with most of his editorials, I would agree with Charles and further his argument by saying that technology is a function of a larger security program instead of an isolated pocket encapsulated by technology. If you don't address the managerial & operational aspects of security (such as SETA, Policy, RA, etc....) then you don't have a security program.
There's no danger of comprehensive programs going away in the forseeable future.
(reply to this comment) (link to this comment)
Problems with security
As I see it, the problem with security on the average PC is that most people run the least secure web browser (Internet Explorer) on the least secure operating system (MS Windows) on the least secure hardware (x86-based CPUs).
The variable instruction length of the x86 makes it very difficult to audit machine code for potentially dangerous instructions. When you take that into account, and then factor in the fact that Windows is an incredibly tangled mess of kludges that no one fully understands, and the fact that IE does not keep a proper wall between itself and the operating system but instead is an integrated part of the OS, it's no wonder that the security industry is forever playing catch-up with crackers and malware producers.
(reply to this comment) (link to this comment)
Add Your Comment