Slashdot Mirror
Michal Zalewski On Security's Broken Promises
Lipton-Arena writes "In a thought-provoking guest editorial on ZDNet, Google security guru Michal Zalewski laments the IT security industry's broken promises and argues that little has been done over the years to improve the situation. From the article: 'We have in essence completely failed to come up with even the most rudimentary, usable frameworks for understanding and assessing the security of modern software; and spare for several brilliant treatises and limited-scale experiments, we do not even have any real-world success stories to share. The focus is almost exclusively on reactive, secondary security measures: vulnerability management, malware and attack detection, sandboxing, and so forth; and perhaps on selectively pointing out flaws in somebody else's code. The frustrating, jealously guarded secret is that when it comes to actually enabling others to develop secure systems, we deliver far less value than could be expected.'"
Do you actually think that all IT and PC security companies have a giant cartel going, where they all secretly agree to suck?
Of course not. And I'm not suggesting any type of "conspiracy" from individual companies or groups of them. It's just not in their best interest to "fix" the problem and it would be a poor business decision to do so. 'Adequate is good enough' is what I see from this industry.
The companies that have true motivation to solve this problem are the OS vendors. MS has come a long way with Windows 7, and Apple & Linux do a pretty good job of issuing patches and updates, but there's still a lot of work to be done all the way around. The 3rd party software included with OS X & Linux distributions are usually the ones that have the security holes, though they're getting better too.
are aalowed to play Theo de Raadt, one out how to make the on slashdot.org