Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do We Really Need a Security Industry?

Posted by CmdrTaco on from the only-if-software-had-no-bugs dept.

netbuzz noted that Bruce Schneir's latest column discusses the security industry where he points out that "The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."

9 of 297 comments (clear)

  1. "Schneir"? by sczimme · · Score: 5, Informative


    At least spell his name correctly: Schneier.

    --
    I want to drag this out as long as possible. Bring me my protractor.
  2. Blah, blah, blah ... by PhxBlue · · Score: 5, Funny

    If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. ...

    And if pigs flew out of my arse, I wouldn't need to go to the supermarket to buy bacon. What's his point?

    --
    !#@%*)anks for hanging up the phone, dear.
  3. Security industry is needed by xtracto · · Score: 5, Insightful

    As long as there is a human behind the computer, there *will* be a possibility of exploiting a vulnerability on the system... the human being.

    --
    Ubuntu is an African word meaning 'I can't configure Debian'
  4. don't need one, but will always have one by Lord+Ender · · Score: 5, Insightful

    The problem here is that 99% of software purchasers simply don't have the ability to evaluate a product on the merits of its security. They do have the ability to evaluate products (1) on the merits of their prices.

    The companies that develop software know that (2) doing security properly is extremely expensive, and requires hiring skilled specialists, and inegrating those specialists at all levels of the development process.

    When you take points (1) and (2) into consideration, you realize that there is a lot more ROI in developing cheap insecure software than there is in developing expensive secure software.

    This is an example of capitalism failing due to poorly-informed consumers. But I can think of no way to solve the problem (a security quantifier???), so the industry will continue along as it does today: cheap software and band-aid security.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  5. That's gross by Lurker2288 · · Score: 5, Funny

    You'd eat bacon from your own ass pigs? Remind me not to come to your house for BLTs.

  6. Sort of ... but not exactly. by khasim · · Score: 5, Insightful
    From TFA:

    If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall.

    Now, take a default installation of Ubuntu Feisty Fawn. Even if you hook it straight into the Internet WITHOUT an external firewall (or running any firewall software) you'll still be very secure.

    That's because, by default, there aren't any open ports. There's no way for any worms to attack your system. That's just basic security practice.

    Now, there are other ways to crack a default Ubuntu installation. But they require that the admin have done something to make it LESS secure (or you can physically access the box).

    Your example is about the physical world. And the problem there is that physical access is already assumed. We can take steps to REDUCE the physical access, but that still leaves social engineering attacks.

    You will always need police just as you will always need sysadmins who will READ THE SECURITY LOGS. No matter how secure you are.
  7. In other news by Otis2222222 · · Score: 5, Insightful

    If people didn't commit crimes there wouldn't be a need for police.

  8. I have a better question... by johnwyles · · Score: 5, Interesting

    A better question is: Do we really need columnist like Bruce Schneir telling us what a perfect world might look like?

    --
    [[ the only 15 letter word that is spelled without repeating a letter is uncopyrightable: it may soon be, however. ]]
  9. He's right, you know.... by Time+Ed · · Score: 5, Insightful

    All the "..and if..." replies really miss the point here. Its not that he's stating the obvious, he's saying the glory days of IT security as an aftermarket industry are over. The focus of IT security is shifting from point products that deal only with the threat du jour, to integrated infrastructure. Security as a service, if you will.

    Look at Cisco. More and more of the monitoring and mitigation systems we run are turning up as part of the switch in next generation gear.

    Businesses want simple, cost effective systems that are built in to the infrastructure, don't get in the way of the money-making, and keep the bank and federal auditors happy.

    Besides, the best security tools are free. And most of IT security is just plain common sense. You don't have to have been at it as long as I have to know that. The technology we use only works one way, so threats aren't that hard to figure out. The rule is to be aware of what runs on your network and keep an eye on what comes and goes. If in the years to come that's all built in, cool.