The information security market is riddled with mediocre products because buyers are often sold on a story rather than having enough information to make a rational choice, a security expert has said. Bruce Schneier, founder and chief technical officer of BT Counterpane, said many security products offered the feeling of being …
Oh, say it ain't so!
"Vendors can't be trusted to give a reliable precis of a product's capabilities"
"For every supplier with a good product or service, there is at least one more out to make a quick buck before customers find out"
Surely you can't be serious!
Either he's a bit slow on the uptake, or he's taking the p!ss.
OK, so maybe most people would miss the fact that a scarer's market is a dream for lousy products. Like AV products, I don't use Norton or McAfee any longer. They just suck so badly for a software developer.
And of course people need to be taught how to use the product. How do you really know if your AV kit is working properly? Where's the independent test for the end-user? It takes some skill to run security tools on a machine, but there's nothing to test the effectiveness of AV besides some "lab" which you personally don't know is effective or not.
Best guarantee for Security Software
The best guarantee for security-related software is the Source Code. Any "security" product which is not supplied with the complete Source Code, in order for you to examine it yourself (if you're a competent programmer) and have it independently audited by real security experts whom you trust, is unfit for purpose.
Bruce, as usual, has the nub of a good thought and is directing it at a specific niche in the market.
"The field of information technology security is so complex that purchasing decisions are based on feelings and hunches rather than reality," is true but is not, in itself, the truth. The field of information security is certainly complex but in my extensive experience it is made more complex - not by buying decisions based on hunches - but by too many enterprises refusing to take a rational approach to managing the problem.
Let's not invest in process and structure to manage security. Let's, instead, focus on spot solutions to symptoms and fling bits of kit and gollops of software at the network. (rather like trying to cure smallpox with the application of Nivea). This demonstrates the we're Doing Something Tangible, keeps us solution-addicted security managers in a job and avoids having to spend actual money deploying actual long-term solutions based on actual (expensive) experience and knowledge.
I imagine Bruce had this at the back of his mind when he made these comments but, because of his position, is unable to articulate the thought. Unless and untl businesses and other enterprises accept a structured, well-managed security program as a cost of doing business then we'll continue throwing crap at our networks and using crossed-fingers as our main security posture.
Re: Best guarantee for Security Software
AJ, you're letting your open source evangelism make you sound like a twit.
To paraphrase from the article, you're indulging in "Open Source theatre"
Having the Source code no more guarantees Security than having sheet music guarantees the production of good music.
No software is without bugs, even fully audited. Good software, deployment and configuration testing are far better guarantors of quality than mere source.
Would you need the source code to know that printf("Hllo World") had a typo?
Easy to spot
I call this trash "fear-ware". It's easy to spot: its hawkers try to ramp up manager's fears and then present their product as a solution. So all you need to do is listen for the fear-inducing keywords. This used to be "hackers" but in the past year "Sarbanes-Oxley" has been heard a lot. In the Real World, the accountants that understand SOX have seen to compliance and there's precious little spillage into IT. But in the Fearful Managers Mind.... In the past month I also heard the US interception law "CALEA" used. Of course, I'm in Australia where neither SOX nor CALEA are law. But for some odd reason the marketdroids still like to roll them out, usually with the cover story that "similar legislation is planned for Australia".
Even the "responsible" anti-virus companies try it on occasionally. One of them was trying to flog it's anti-spam product to Australian universities by claiming that they had a "duty of care" (<-- fear-inducing hot word) not to allow students to see spam. Of course, if such a duty really existed then unis wouldn't offer e-mail accounts to students at all -- they'd outsource the risk by telling students to get their own e-mail accounts from Hotmail, Gmail, etc.
Blackley - good; AJS - (tending to) twit
Mr John A Blackley has expressed the real points with great clarity; I just wonder why he thinks Bruce's 'position' restrains his articulation. Am I to infer that the acquisition of Counterpane by BT limits Bruce's freedom of expression? (not trolling for 'anti BT' flame wars)
Mr Stiles' evangelism of open source has overstepped the mark. Of course NO security 'solution' seller will reveal their source-code - it embodies proprietary algorithms! The points made by Richard are apposite.
Security; A Lemon's Market?
If buyers don't have enough information to determine the performance of products, then sub-standard products (lemons) will dominate the market and the producers of such rubbish will drive genuinely fastidious developers out of business.
This is where standards, CLEFs, and other rather dull (but eminently necessary) aspects should pick up...
But most of all, we all, as buyers, create the markets we deserve - if we all made more effort to avoid buying sh*te, i.e. actively avoiding products marketed using those Fear Uncertainty Doubt techniques, we might see less of a lemon's market.
Indepenant Reviewers and "security labs" dont help either
Have any of you ever taken the time to read the scores of reviews out there for security software. some of them are so out of whack its hilarious, in a sad sort of way.
the way some of these reviewers rank software has nothing to do with their effectiveness or abilities, they get ranked on GUI layouts and "look and feel" and i see otherwise excellent products get ranked very poorly because they dont look or feel right, and functionally absent products like (/jumps on the bandwagon) symantec and mcafee get ranked high because of cosmetic reasons, completely overlooking the fact that they fucking suck!
I agree with Stiles
hand waving it's proprietary algorithms (where have I heard that one before) if you had the source code you'd know it's just few matching functions and a lot of hot air so of course they better hide the crap out of it I wish they would hide their products too.
Yes They Do
The OpenBSD project -- whom I would certainly consider to be a security solution provider -- release *all* their Source Code, even under a licence that allows proprietary derivatives (in case anyone is stupid enough actually to buy them).
As for Dave and his "proprietary algorithms" -- if you keep your algorithm a secret, then how can anyone prove formally that it really is secure? We've only your word for it. How can we be sure that you didn't build in a back door -- perhaps with good intentions, e.g. in case some corporate boss forgets the master password protecting a hard disk containing the only copy of some valuable data -- and how can we be sure that someone else won't discover that back door?
Access to Source Code isn't always enough *by itself* to prove whether or not code is secure; but *lack of* access *is* always enough to make it *impossible* to prove. In other words, it is a NECESSARY condition but not a SUFFICIENT one. I feel a lot safer knowing that the Source Code to my favourite security software is being examined by people all over the world who have no obligation of loyalty to the authors and no axe to grind.