We Don’t Suck Enough!

Thomas Ptacek | May 11th, 2006 | Filed Under: Industry Punditry, Uncategorized

It must be seasonal.

Rothman does a better job of analyzing David Berlind’s “security is dead” post than I do, so I’ll try to keep this post mechanical.

My thesis: David Berlind does not know what he’s talking about. If he’s right, he doesn’t know why.

Microsoft appears to finally be getting its security house in order.

• Implication: The maggots of the security industry will soon run out of carrion to feast on.

• Fact: Microsoft’s codebase is getting progressively stronger (though it is not yet “Unbreakable”, and it remains to be seen whether “Unbreakable” is achievable).

• But…: Microsoft is just one company. Tens of billions of dollars worth of vulnerable software is shipped every year. More importantly, security problems predate and transcend Microsoft vulnerabilities.

• Food for Thought: Microsoft is a security industry success story.

It has been a long time since malware that exploited a vulnerability in Microsoft’s operating systems or applications resulted in a widespread outbreak [such as] SoBig, CodeRed, Melissa, [or] ILOVEYOU.

• Implication: even the criminals are running out of steam.

• Fact: SoBig, Melissa, and ILOVEYOU are email viruses, not worms that exploit vulnerabilities in Microsoft’s operating systems. We are not running out of them. Zotob is months old.

• But…: Microsoft worms ARE getting “less frequent” (a funny assertion given the size of our data set, but, whatever).

• Food for Thought: Again, success story. When every other vendor exerts the effort Microsoft did, and all future software is assured the same way, worms —- absent for the majority of the dot-com era (chronologically and by revenue) —- may cease to be a threat. Isn’t this an opportunity?

Windows “surface area” (digital security-speak for multiple swaths of vulnerabilities) continues to shrink

• Implication: Are you listening, people? No more Microsoft holes!

• Fact: The term is “attack surface”. It refers not to “multiple swaths of vulnerabilities”, but the exposed functionality (or, analogously, the exposed complexity) of a system. And the Windows attack surface is not shrinking.

[Quoting SANS] “OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.” When I think of words that foster confidence […], “tatters” is not one of those words.

• Implication: Your guess is as good as mine. OS X has lots of vulnerabilities? Doesn’t that contradict his claim?

• Fact: There isn’t even a parallel universe in which OS X threats are currently a top security threat. And the statement “OS X is not bulletproof” is nearly content-free.

• But…: Of course OS X has vulnerabilities. Just like everything else.

[Regarding Fred Felman and Te Smith, formerly of Zone Labs, then of Tenebril, yet-another anti-Spyware company, saying “security is beat”.] I’m with Felman who spent the better past of the last decade selling security products. When someone like that says the business is beat and backs it up by leaving it, the business is beat.

• Implication: The security business is beat.

• Fact: Now is probably not a great time to start an anti-Spyware company.

• But…: Someone want to take a guess at the annual budget for Anti-Spyware in the average F500? Now, how about firewalls?

Need another smoking gun? I don’t think you have to look beyond Symantec

• Implication: Symantec is giving up security because… (wait for it)

• Fact: … Symantec went on a security company buying binge! Also, the overwhelming majority of Symantec’s top line revenue comes from antivirus (is antivirus security? Depends. Who’s the buying center?), which is an exposure probably worth mitigating.

What’s actually happening here is:

Yet another pundit is confusing consumer “security” with Security. It is entirely possible (if unlikely) that consumer security is becoming fallow as consumer products improve.

But:

That has nothing to do with the real security challenge, which has to do with watching the backs of the entire US economy, which built one of the greatest expansions in productivity ever on a foundation of technologies and practices that can’t withstand determined attackers.

Why do I care? Because security vendors across the board are slaves to the Narrative, whether it be “there are 1000 security vendors” (surely 5 of them must already own the problem you’re working!), or “Microsoft is killing security’s Golden Goose”. At some point, I’m going to have to come up with a marketing message that simultaneously reacts to:

• There’s 1000 companies just like you

• You all make too much money

• Pretty soon Microsoft will fix security

• But you’re all failures because attackers are out-innovating you

• Watch out! Flash worms! And Yetis!