Jan 25, 2011

Information security sucks (Part I)

This will be a series of short blog posts describing why I think information security sucks.

Security software sucks:
There are security software for any security need (or not), most of these software are not mature enough, they are plagued by security vulnerabilities and they can barely provide all the vendor claimed functionality. Most vendors invest more on marketing than in making the products more secure. If you think about this, for a business standpoint makes sense, since security is a feeling that companies are eager to get and with good marketing vendors can provide the heroin needed by companies. You buy X software and you think you are protected and the chances that the software X will be blamed for a compromise are really low. In case there is a compromise and you were using X software vendor won’t be liable and one less customer won’t affect vendor reputation, there will be always more customers in the pipeline. So vendors can build some crappy software, roll out some cool marketing campaign and star selling the software, when they get enough customers maybe they will start adding the marketing promised functionality, but not security, this is something that vendors “provide” but not care about.

Basically we are protecting our assets with insecure software.

Most people know that security software have vulnerabilities, every day there is a new vulnerability in an antivirus product, etc. But let’s talk about appliances, some people say that nowadays perimeters are secure that most compromises are because of client side exploits, etc. Networks and servers (email, database, web, etc.) are protected by costly appliances, we are talking about $25k, $50k and more depending on company size, the product itself, etc. If an attacker wants to get in a network protected by X appliance he only needs to get one and find the vulnerabilities, that’s it. The problem for a regular attacker is how to get the appliance because the costs and logistics, but government agencies, criminal organizations, etc. can get them and hack them. All those networks and servers using these appliances are just protected against poor hackers.

I challenge all security vendors to expose their appliances for a security community testing if they think they are secure and they are providing real protection to their customers. Who will be the first to stand out?


Ant said...

This is exactly why the Common Criteria exists.

If you need to be secured against a determined attacker with plentiful resources you should only use common criteria certified devices (and in the certified configuration).

Cesar Cerrudo said...

@Ant I understand what you mean but having a device certified doesn't mean it's secure, it's just "certified".