This is a simple one, from Dr. Eugene Spafford’s blog:
We know how to prevent many of our security problems — least privilege,
separation of privilege, minimization, type-safe languages, and the
like. We have over 40 years of experience and research about good
practice in building trustworthy software, but we aren’t using much of
it.
So, we have resources that are unallocated – we have time, money, and bodies we could throw at the security problem. We have the know-how and the tools to reduce the risk. And yet, we aren’t doing it.
If security were "failing" there would be evidence of people either giving up entirely and reducing their IT investments and resources, or spending more money on success.
[More info on whether security is failing here: Security Failures: Is he sky REALLY falling?
Pete:
I’m just a plain ol’ country boy so I don’t get how you got to the last sentence; I’d suggest that preceding sentences suggest that since we’re not doing what we’re either capable of or *should* be doing, we’re failing.
Certainly not doing the right things is not cause for celebrating success.
@Chris -
My not-so-clearly made point is – since there are no significant obstacles to adding more security, then people/organizations are explicitly deciding against stronger protection. If that is the case, then security can’t be “failing” in their eyes (or they would spend more / do more).
Remember that whether or not security is failing can have multiple interpretations to individuals.
Hope this helps!
In a rare moment of synchronicity, I saw Spaf’s post in my Google Reader prior to yours and I despite your choice of words (not like mine on my blog did me any favors) I think I understand and agree with your idea.
/Hoff
Cherchez l’argent, mes amis. Mix in Spaf’s argument with Pete’s and add Marcus and Bruce, and you’ve got the answer: people don’t think security is failing enough to spend money doing something about it. The externalities aren’t intolerable. The public isn’t up in arms; if anything, security breaches have reached the same level of public semi-awareness as bombing in Iraq — it happens every day, everyone agrees how awful it is, and then they go back to their lattes.
We’re not going to fire or retrain a generation of cheap programming labor to Do the Right Thing and redesign systems. Not until it hurts enough, and let’s face it, it doesn’t. All the FUD and hand-wringing is within the security industry. We’re doing our jobs just well enough to keep things from melting down, so why should anyone pay more attention and money to something that’s mediocre but not a disaster?
Pete, I don’t know how you got the message that security ISN’T failing out of that blog entry. As far as I understood it, the point is that we’re wasting time and money treating the symptoms, rather than the problem. The point is that we can NEVER succeed if we keep doing what we’re doing.
@Tyler -
I didn’t get that message from his blog. I am suggesting that the assertions he makes are excellent evidence that security ISN’T failing.
Pete
Sacred Cow Gored? Check.
As only a certified security high priest can do, Gene Spafford has started a linkfest o’ love spawning numerous backslapping from some of my favorite people in the blogosphere. I hate enjoy to be the contrarian, so while I agree with the general senitm…
Sacred Cow Gored? Check.
As only a certified security high priest can do, Gene Spafford has started a linkfest o’ love spawning numerous backslapping from some of my favorite people in the blogosphere. I hate enjoy to be the contrarian, so while I agree with the general senitm…