Do We Really Need a Security Industry?

netbuzz noted that Bruce Schneir's latest column discusses the security industry where he points out that "The primary reason the IT security industry exists is because IT products and services aren't naturally secure. If computers were already secure against viruses, there wouldn't be any need for antivirus products. If bad network traffic couldn't be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn't have to spend billions every year making them secure."

Do we really need car mechanics?

[Anonymous Coward]

I mean they only exist because cars aren't built perfectly.

Its just another blame placing game

[PrescriptionWarning]

its kinda like saying that someone who gets raped is responsible because they didn't have martial arts skills, and wouldn't need mace or a stun gun in the first place if only judo was taught as schools or something crazy like that. Where does the blame game end?

you wanna know who's fault it is? its the person breaking the law, breaking the systems. but you know what you can do about that? next to crap.

Just Build A PC with no Functionality!

[Evil W1zard]

I say just build an unbelievably simple AIS that has zero functionality. Thats right: no user interfaces, no applications, no storage of information, not even a keyboard. Then we wouldn't have to worry about all that nasty malicious code, and keystroke loggers and... Oh crap someone just walked in and stole my do-nothing non-functional system. Guess I still need physical security.

I have the utmost respect for Bruce, but that statement is fairly ridiculous. Its like saying if we built automobiles that could never crash then we wouldn't need road rules. Basically you can sub anything into that statement. If we made food that wasn't unhealthy we would need Jared and annoying Subway commercials...

if offices had no doors or windows

[Anonymous Coward]

and people inside were fed from tubes from the ceiling, and no money or physical objects ever entered or left the premises, then there would be no need for security guards.

then again, maybe IT security guards should be making 10 dollars an hour and normal security guards should be making the same (it would be a raise)

This is awefully fanciful

[blindd0t]

If people were perfectly peaceful, we wouldn't need laws or governance

If everybody washed their bums correctly and cooked meat well every time, nobody would have to worry about butt-worms

If people were perfectly courteous and attentive on the road, there would be no need for auto-insurance

So now let us imagine what it would take to get to a point where we no longer need people specialized in securing and maintaining the integrity of data. Do We Really Need a Security Industry? YES! We most definitely do, and always will! Is there room for improvement? Yes, vasts, and there always will be!

Re:This is awefully fanciful

[DECS]

The real solution to butt-worms is having people not demanding food all the time. If people weren't hungry, we wouldn't need a food industry, and we could spend all that frivilously wasted money on podiums for pontificating analysts.

That would also rid of world of the foodborne butt-worms problem. Actually it would trade off butt-worms of one sort for another, but you can't have it all.

http://www.roughlydrafted.com/ [roughlydrafted.com]

Re:I see what he did there

[nick_davison]

Actually, disturbingly, you have that backwards...

The concept was that if computers were secure anyway, threats to them would be non-issues.

The similie isn't "If murderers just stopped wanting to kill us." More accurately, it's "It's the victims' fault for being murderable."

It's about on a par with those who claim the students at VT deserved what they got because they didn't protect themselves by carrying guns.

I have a better question...

[johnwyles]

A better question is: Do we really need columnist like Bruce Schneir telling us what a perfect world might look like?

Re:Yet...

[Known Nutter]

I am personally obligated to post this link every time I see "Zone Alarm" and some phrase describing 'hack attempts' and 'logs' posted on the internet.

While most (read: all) of /. gets this, I post for user #1018050. Sir, please read this short article:

http://samspade.org/d/firewalls.html [samspade.org]

My take

[Jaime2]

My take on this article is that it is a bad thing to seperate "IT Operations" from "Security". It annoys me every time I see a company that has a "Chief Security Officer". Security is a fairly unique problem and can't be handled the same way as getting the lawn cut.

You can always create a "Groundkeeping Crew" and then no one else in the entire company would have to worry about the grass. However, the day you create an "IT Security Task Force", everyone else lets down their guard. Products like personal firewalls and anti-spyware have allowed application and OS developers to sell insecure software without retribution. If security were forced back to the source where the problem is easiest to solve, we would be in better shape today.

Instead, I see a security team trying to lock down the network and application architecture teams trying to get as much data through as possible. Since everyone's goals are 180 degrees from each other, things go much more smoothly when they keep the other side in the dark.

Not what he said at all

[The Monster]

What Bruce thinks is that as computing becomes a utility the security needs will decrease.

No, he thinks that as computing becomes a utility, the market for selling security to end users will fade away, because the 'utilities' will be buying the security wholesale. Users won't care about whether any anti-virus products are running on Google's servers; they'll only care if they can get access to the shared documents that they run their businesses on.

What Schneier is saying is that security won't be an add-on, after-the-fact product that people buy to protect their computing infrastructure. It will be integrated into the design of every program that a 'utility' runs, because the best way to assure your customers they'll have five nines of reliability is to build every piece of the system to be as secure as possible from the ground up.

(Insert folk tale of the impracticality of retrieving scattered livestock vs. maintaining the structural integrity of their enclosure and preventing their escape in the first place.)

Re:Sort of ... but not exactly.

[cduffy]

What Bruce thinks is that as computing becomes a utility the security needs will decrease.

That's not what he argues, though.

If you RTFM, Bruce's article argues that as computing becomes a utility, security will become "baked in" such that 3rd-party, add-on security products will, to the extent that they exist at all, be implicit functionality that users don't need to think about. To the extent that security will become cheaper, that's because R&D on it will be largely paid for by the utilities (who have an interest in lowering costs) rather than the vendors (who don't).

Not the same thing at all.