Do We Really Need a Security Industry?

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Wired Magazine has an interesting editorial posted today that poses the question “Do we really need a security industry?” Agree? Disagree? Hit the comments link below and share your thoughts on the matter.

The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure.
Click to expand...
 
wow this just stupid. its like saying 'if we made cars perfect the first time then we'd never need mechanics'. good god.

i would tend to think that some software companies get lazy with all the security software out there, but i mean come on. nothing is perfect and nothing is completely impervious. its just not possible. what utter nonsense.
 
sure... in a perfect world where all developers are proficient in all areas of programming and only one programmer does all the programming for one application, windows XP for instance, within a deadline of 8 weeks (relative). Oh and can see into the future and see all possible, hackable areas of the code, like stream buffer overrun before it was discovered. In reality, different developers does different parts of application because it reduce the time it takes to develop an application. Lets face it, they need to meet release deadlines. Not all developers are proficient because some may have 20 years experience while others have 1-2 years experience in developing applications. Sure you can make applications more secure, but it'll take much more time than the competition. By the time the secure application is ready and available, all the users/consumers are using the first unsecured application with other application that makes it secure. Are you going to spend 2-10 times what you paid for the unsecured application to migrate to the new secure application? Who is going to buy the secure product now? This is key, money and time drives deadlines. Deadlines ahead of your competition drives more revenue.
 
Its kind of like saying "If everyone obeyed the laws, we wouldn't need police", or "If everyone obeyed the laws, we wouldn't have jails"...the argument is pretty ridiculous.
 
As IT fades into the background and becomes just another utility, users will simply expect it to work -- and the details of how it works won't matter.
Click to expand...

He's right on this part. That's my world right now. We go down for 15 minutes, and all I get is a whole lot of users telling me something's not right. Shut off the water or electricity and your building or facility manager will hear the same.

Unlike water or electricity though, software and hardware change so there will be advancement in how it works to users, but users still won't care how it really works.

And, yes, while he's critical on security, both software and hardware companies are to blame for pushing crap into the channel far before it's ready. And when you already know your building on 30+ year old protocol networking technology then you'd better examine a little harder what it is your creating. Two perfect examples of products not yet ready but shipped anyway are Vista and BF2.
 
The primary reason the IT security industry exists is because IT products and services aren't naturally secure
Click to expand...

Umm, I respectfully disagree. The primary reason the security industry exists is because users and technicians do not know or perform best practices to minimize and respond to risk. Furthermore, risk is not just found in flaws with technology, risk comes from people and processes as well. A user using technology to do something in a way it was not designed can be more risky than a user using a flawed peice of technology who is using it in the manner it was designed. Even if all your technology worked flawlessly, you still need security practices to ensure that joe blow doesn't maliciously hack into your account and take .50 from it.
 
Steve said:
Hit the comments link below and share your thoughts on the matter.
Click to expand...

Ahh! Where's the ANY key!?


Assuming there's an Ultimate Truth to life, the world, the universe(s), etc., how would we know we've reached it? How would we know when our electronics are completely secure with zero risk of being breached?

It's pretty safe to say that there will always be a way around something. Some people devote much of their time trying to infiltrate systems, if not for harm, then for sport. Do we spend too much for IS? Maybe, but it's likely we're better off with it than without it. It's a good safety net in case it's needed, and humans are very prone to error, and that's all all catastrophe needs.
 
Shotglass01 said:
He's right on this part. That's my world right now. We go down for 15 minutes, and all I get is a whole lot of users telling me something's not right. Shut off the water or electricity and your building or facility manager will hear the same.

Unlike water or electricity though, software and hardware change so there will be advancement in how it works to users, but users still won't care how it really works.

And, yes, while he's critical on security, both software and hardware companies are to blame for pushing crap into the channel far before it's ready. And when you already know your building on 30+ year old protocol networking technology then you'd better examine a little harder what it is your creating. Two perfect examples of products not yet ready but shipped anyway are Vista and BF2.
Click to expand...

not so much for vista, and if you try to start spreading false information on the forums you will get you ass beat, figuratively speaking.
 
We need to turn the comments on this article in to the analogy game. For example, we already have "if cars were made better, we wouldn't need mechanics" and the Ross Perot throwback about people behaving.

I personally like:

"If we just figured out gravity, there wouldn't be any airplane crashes."

I mean, seriously, this article sounds like it was contrived in a hippy commune after a "harvest"...

"hey man, you know what would be cool? If like, no one was hacking, and all developers would validate user input, and there was no rush-to-market for a software release." (pause to take a toke) "yeah man, that would be wild... then we wouldn't NEED a security industry, or firewalls, and the Internet would just be FREE."

Far out, man.
 
this is why i still believe that anti virus companies pay people to write viruses. its the perfect scam (so long as you dont get caught).


I have someone release a virus that causes tons of problems...and then release an anti virus software that will "protect" them from getting infected.
 
Martyr said:
not so much for vista, and if you try to start spreading false information on the forums you will get you ass beat, figuratively speaking.
Click to expand...

I disagree. There was so much not right when released and so many partners unprepared. My point isn't that I expect everything to be perfect or that products will be secure from every attack vector. It's that, due to economics, products are rushed. And, even considering how long Vista took, it was rushed out the door. And, that's when products are released too soon and security that otherwise would be thought of isn't.
 
Shotglass01 said:
I disagree. There was so much not right when released and so many partners unprepared. My point isn't that I expect everything to be perfect or that products will be secure from every attack vector. It's that, due to economics, products are rushed. And, even considering how long Vista took, it was rushed out the door. And, that's when products are released too soon and security that otherwise would be thought of isn't.
Click to expand...

Vista was worked on for 5+years and delayed for quite awhile. I don't see that rushed, but yea vista has lots of room for improvement.... Its still better to have a anti virus software though..
 
I've never had a problem with hardware security. If you buy a router today it acts as a firewall and whatnot anyway.

What I don't understand is software security products. If a virus isn't part of a security flaw, than what the heck is it? Shouldn't Microsoft provide virus protection just like it now provides security updates and windows defender?
 
nvidiapwnsati said:
Vista was worked on for 5+years and delayed for quite awhile. I don't see that rushed, but yea vista has lots of room for improvement.... Its still better to have a anti virus software though..
Click to expand...

Well, the reason as to WHY it took that long is a lot more complicated than that simple one line explanation.

All of the code that was written from 2001 to 2003 on the original build of longhorn was pretty much thrown out once the new project lead was brought in to Microsoft to get the longhorn team on the same page. The reason for that was that the development was going in so many different directions, the result stood to be a bigger pile of garbage than Me was.

The ambitions for longhorn were so much thier than the development team could achieve that at least one major feature (WinFS) was completely scrapped, and the complete redesign of the driver framework was being worked on and tweaked all throughout the Vista beta releases.

Now, is that rushed? If you call the real development time 2003-2006 (remember that Vista Business was released in November 2006) and consider how much of the core kernel code was changed, I would say that 3 years is minimum development time for the monolithic beast that Windows is. Windows is not this slick modular OS that you can pull out and add modules on a whim, like BSD, Mac OS or Linux tries to accomplish. Significant portions of the NT kernel are [h]ard coded such that any changes require changing things like the user shell (explorer) and the windowing system (in vista, Aero).

Vista actually added significant memory management features that are used specifically to combat memory address based exploits like buffer overflow and execution redirection, and when you already have a significant user base with a significant application base, making sure everything works is akin to trying to put out a forrest fire with a garden hose.

So, when you consider the background of everything that went in to Vista (remember, XP was not a significant change from XP and most windows 2000 drivers even worked under Windows XP) 3 years is actually pretty fast.

DeathFromBelow said:
What I don't understand is software security products. If a virus isn't part of a security flaw, than what the heck is it? Shouldn't Microsoft provide virus protection just like it now provides security updates and windows defender?
Click to expand...

Well, that's a real catch 22. It's kind of like asking, do you want the company who designed the locks for your house to police your neighborhood? Just because you can design a way to keep people out, doesn't mean you thought about all the ways people might try to get in once they encounter your lock.

Now, you might expect Microsoft to employ a completely separate team of people from the team that develops windows to develop Windows Defender and all that security stuff, but it doesn't seem to be happening like that. Or, their team just doesn't have the experience of, say, Symantec as of yet.

The truth is that security is nearly ALWAYS an afterthought in NEW systems, and all the systems you see that are built from the ground up with security in mind are actually the result of previous systems which were not so robust when it came to security (ie, qmail resulting from problems with sendmail, IPsec from the inherent insecurity of the Internet, etc).

In my experience, Computer Science education is the same way, and security isn't even mentioned until you hit upper division courses. Look at how much code is out there right now written by "coding geniuses" who never graduated but were picked up at 70k a year during the dot-com boom int he late 90's, not to mention all of the re-used, unaudited code that has been around since before personal computers became common household items, and you'll get a feel for the necessity of some kind of specialized security sector int he computer industry.

The real issue is not whether a security industry is needed, but instead it is the question:

Why hasn't security become part of the foundation of system design?

I'm asserting that the situation we face right now would be better were it the case that security was given equal priority as functionality, but that a security industry would still be required. As it stands now, the security industry isn't going to help us any until ALL systems designers begin to think about security in every aspect of their work.
 
thedude42 said:
We need to turn the comments on this article in to the analogy game. For example, we already have "if cars were made better, we wouldn't need mechanics" and the Ross Perot throwback about people behaving.

I personally like:

"If we just figured out gravity, there wouldn't be any airplane crashes."

I mean, seriously, this article sounds like it was contrived in a hippy commune after a "harvest"...

"hey man, you know what would be cool? If like, no one was hacking, and all developers would validate user input, and there was no rush-to-market for a software release." (pause to take a toke) "yeah man, that would be wild... then we wouldn't NEED a security industry, or firewalls, and the Internet would just be FREE."

Far out, man.
Click to expand...

Exactly
 
I think the guy's valid point is that a lot of the time, we don't need a wholly separate industry to secure IT, we need good initial design and engineers / support people who are security-minded.

I see so many companies now starting whole IT Security departments full of suits and risk-managers, reading articles, writing policies, and telling the IT guys "what they have to fix" without any regard for the technology that is actually being "secured." They are the ones who are buying the products and services of "the security industry," not the people who actually have the technical knowledge to identify and address the issues, and that is why the vendors are so successful. Same as it always was in business, some guys in suits sell some other guys in suits some product with promises of avoiding or correcting risk that may or may not have been there in the first place.

Amdahl had it right in the 80s, it's all FUD. :)
 
A machine that had no flaws.. no ways to break into it... nothing insecure.

Somehow I envision a read only computer system, with no input devices that randomly surfed the internet.
 
The question is like saying we don't need police or security guards. Of course we do. There are some people that are always going to trespass or circumvent security measures both in the physical and "virtual" worlds.
 
THRESHIN said:
wow this just stupid. its like saying 'if we made cars perfect the first time then we'd never need mechanics'. good god.
Click to expand...

thegreatsam said:
Its kind of like saying "If everyone obeyed the laws, we wouldn't need police", or "If everyone obeyed the laws, we wouldn't have jails"...the argument is pretty ridiculous.
Click to expand...

thedude42 said:
We need to turn the comments on this article in to the analogy game. For example, we already have "if cars were made better, we wouldn't need mechanics" and the Ross Perot throwback about people behaving.

I personally like:

"If we just figured out gravity, there wouldn't be any airplane crashes."
Click to expand...

hofan41 said:
in the end the largest security flaw in all software is the end user.
Click to expand...

delahaya said:
The question is like saying we don't need police or security guards. Of course we do. There are some people that are always going to trespass or circumvent security measures both in the physical and "virtual" worlds.
Click to expand...


Multiple QFT.

This article is a joke. Security will always be needed and it's quickly expanding as more users are climbing on. You will always fine a user and there will always be a hole to fill.

Heck, if all the computer users were smart and used the internet, we wouldn't need Wired Magazine!!! :rolleyes: This logic is dangerous.
 
From the article:

Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later. Their profits would rise in step with the overall level of security on the internet.

The analogies are completely irrelevent. The question the author poses is NOT "Do we need security?" OF COURSE WE DO. The question is: Do we need an entirely independent organization of security analysts, risk managers, vendors, consultants, and marketers who do nothing but come in to sell (mostly buggy or ill-conceived) products to clear up problems in other technologies. I lean toward the author's statement above.

It's really easy to read "Do we need security..." and type out a quick response without even finishing the headline. I'd challenge you to be more thoughtful than that.
 
You must log in or register to reply here.
Back
Top