Last week, I read that well known security expert and writer Bruce Schneier recently opined that there should be no network security industry, because software vendors should make their products so secure that there would be no need for third party security products. He apparently said this at the Infosecurity conference in London (which, interestingly enough, is sponsored by security vendors). You can read about his comments here (incidentally, all of us here hold Bruce in very high regard, so this blog post is not intended to be criticism of him).
At first glance, it sounds like a reasonable rant. Why don’t the software makers just build complete security into every one of their programs to begin with? But when you think about it a little more deeply, you realize he’s asking the impossible. There’s no such thing as a completely secure software program (just as there’s no such thing as complete secure in any other aspect of life). Even if an application or operating system, at the time of its release, was designed to lock out every possible type of attack or exploit known at that time, it wouldn’t stay secure for long.
That’s because attackers are always coming up with brand new ways of getting into systems. And a computer or network isn’t a static thing. We’re always adding new programs, new devices, that can provide new attack surfaces.
Saying that there should be no need for third party security vendors is a little like saying there should be no need for the home or business physical security business, that builders should make all houses and commercial buildings impervious to intruders right “out of the box.” That means you mandate that every home sold must have a deadbolt locks on every door and window, a built in alarm system, and an electric fence around the perimeter. Maybe the builders should also throw in a growling pit bull and give each homebuyer a .40 caliber Glock, for good measure.
The problem is that even with all those security mechanisms, some determined burglars would manage to get in if they really wanted to. They can always break a window or even cut a hole in the side of the house. So now we have to mandate that all houses be made of steel plates and windows be unbreakable glass.
At this point, we’ve created a much more secure (although still not completely secure) house, but we’ve also priced most people out of the possibility of ever owning a house. But let’s say price is no object. We could go a few steps further and make the house almost completely secure, by doing away with points of attack such as doors and windows completely. We’d have one steel vault door through which the inhabitants go in and out. No chimneys, no vents or other entry points that can be exploited by would-be intruders. Now not only can almost no one afford a house, almost no one would want one. Who wants to live in a steel box that you can’t see out of, even if it does make you feel really, really safe.
Of course, there’s still a chance that a really determined and/or really smart bad guy can find a way to get in through that same vault door that you use. If you want to ensure that doesn’t happen, you have to seal up the door and lock yourself permanently inside. Now you’ve made the house secure – and completely dysfunctional. It no longer serves its purpose as a place to live.
Likewise, you can only build security into software up to a point. At that point, it becomes too expensive or too unusable for the average person. One reason third party security vendors will always be necessary is that not everyone’s security needs are the same. Just as some homeowners, because they have many valuables or because they live in a particularly dangerous neighborhood or because they have high profile names that make them targets, need the electrified fences and surveillance cameras and laser beam motion detectors and others don’t, some computer users need a higher level of security than others.
OS and application vendors are paying much more attention to security these days, and that’s great. But expecting them to ship software that’s completely secure is just silly. Of course it would be nice if we didn’t need to buy extra products to protect our computers. If we want to fantasize about Utopian situations, it would be nice if we didn’t need to take vitamins to protect ourselves against deficiencies and pay for car insurance to protect ourselves from financial ruin in case of an accident and do all the other things we do on a regular basis to prevent bad things from happening to us.
But in my opinion, third party security vendors will always be necessary, in part because they give us choices. And choice is a good thing. The illusion that perfect security is possible is not a good thing, and the demand that software vendors “just make their products secure” feeds into that illusion.
Schneier himself is famous for saying, years ago that “security is a process, not a product.” Back then he noted that “Security processes are not a replacement for products; they’re a way of using security products effectively. They can help mitigate the risks. Network security products will have flaws; processes are necessary to catch attackers exploiting those flaws, and to fix the flaws once they become public.”
Sounds a lot more reasonable to me than a demand that product vendors make their products completely secure. Fact is, security is a process, on ongoing one. Protecting your network from attackers, like protecting your physical valuables from burglary, isn’t a “feature” that can just be “built in” to an operating system (or a house) and then forgotten about. I wish it were; it would make all our lives a lot easier.
What do you think? Should software vendors be expected to provide perfectly secure products? Is that even possible? If it is possible, do you want all network security to be “taken care of” by the original product vendor, or do you prefer being able to choose from different third party products? Let us know what you think.
Deb Shinder, MVP