Full Disclosure mailing list archives
Is the security industry like a lemon market?
From: "Daniel Guido" <dguido () gmail com>
Date: Wed, 23 Jul 2008 14:40:03 -0400
This pair of essays were written in 4 hours the night before they were due for last year's Cyber Security Awareness Week at Polytechnic University. They were intended to answer the question, "Is the security industry like a lemon market?" as first brought up in a Wired article by Bruce Schneier last year [1]. We'll be hosting an essay contest and many others again this year. Contests are for students only and registration is available at: http://isis.poly.edu/csaw. Feel free to contact me for more information. -- Dan Guido [1] http://www.schneier.com/blog/archives/2007/04/a_security_mark.html ------------------------------- Alicia Bozyk CSAW Essay November 18, 2007 Trends in Security Products Due to information asymmetries, consumers are unable to identify what security is and how they should be protected. They are easily swayed by market driven trends that recur on a regular basis. Such trends are not necessarily merit based and fail to solve the security problems that consumers face in meaningful ways. This problem has resulted in numerous products in the form of firewalls, antivirus software, intrusion detection systems (IDS), and anti-spyware and malware software. These products receive a lot of attention and are marketed as solving security problems. However, the same threats endure even when a user is fully covered by such mechanisms. The success of such security products on the market are a result of marketing and advertising, the lack of reliability provided by authoritative sources, and a lack of focus by industry professionals to create a comprehensive approach to improving computer security. The security industry is flooded with poor quality software products which are driven by rapidly changing security trends rather than the real needs of consumers. Any new security trend introduces an influx of security offerings to the market. The consumer market for security software reached $1.6 billion last year, according to the research company IDC. The consumer ranges from large institutions and corporations to the owners of home computers. Since the market share of the security industry is so large and its targets so varied, there are considerable opportunities to create new products as trends in the industry shift. Security companies spend a large amount of money on marketing and advertising campaigns for these new offerings. The goal is to convince consumers that they are not safe unless they purchase a new product, or upgrade their existing products to include new features. As a result, companies and individuals are constantly purchasing new security products and spending more money to improve the ones that they already have. If a consumer is unwilling to invest in products that protect against the newest threats, they run the risk of appearing negligent. However, new offerings cannot guarantee security and may not provide much added value. Trend driven advertising frightens consumers into new purchases, adding more incentive for producers to push out more and more products. Another common flaw in the security industry is that many average consumers have little or no knowledge of computer security and what it means for them. However, most consumers are convinced that they need to take some action to safeguard themselves against threats. As a result, most try at least one of the following two methods. A consumer can scour the internet for reports and reviews on security products. They can also turn to sources of authority to provide the answers for their security needs. Both methods will likely result in a consumer making unfortunate decisions about a security product that is driven by recent trends in the security industry. If a consumer tries to do their own research, it is difficult to find clear answers since they may not know what to look for and must sift through a lot of misleading advertising. If a user simply turns to an authoritative source, they might accept a bad product. For example, Columbia University Information Technology recommends that all students and faculty members install Symantec Anti-Virus software on their personal computers. Many students take this suggestion to mean that as long as they have this software installed, they are safe. However it is common knowledge among security professional and hackers alike that anti-virus is not a silver bullet, anti-virus does not protect against all security security, and anti-virus provides questionable value to begin with. The following diagram is taken from a publication by VirusTotal, an organization which tests the efficacy of all major anti-virus brands to detect new malicious code. [blue: 31692, red: 2] Failures in Detection (Last 24 Hours) Red: Infected files not detected by at least one antivirus engine. Blue: Infected files detected by all antivirus engines. This diagram is evidence that even the threats anti-virus claims to protect against, it cannot in many cases. Most consumers do not have the knowledge of the security industry needed to make informed decisions on the products they are using to protect themselves. Instead, they turn to products that protect only against the latest, most popular security threats. Since security products are trend driven and highly profitable, security professionals have little incentive to address the root causes of security threats. Creating software that only acts as a firewall or as anti-spyware does not result in comprehensive security. The industry leaves the market open for more trend driven software by not addressing entire threat classes when they become known. Preventative measures are often not well received by the security industry. We see this in security technologies which are effective, but nonetheless have received little support from the commercial security industry. An example is SELinux and the mandatory access control framework for Linux, which was well received by security professionals. It was not until the NSA, a government agency, developed SELinux at a loss that it was brought to the public. This suggests that intervention by government agencies and non-profit organizations may be needed to break the cycle of trend driven software development. Security professionals must provide tools and guidance to software developers that will allow them to architect systems that will have long-term security benefits. In order to begin making real strides in computer security, the entire industry must realign its goals with the needs of consumers in order to provide comprehensive security coverage, as opposed to temporary fixes for new and popularized security threats. The success of poor quality security products on the market will continue until the security industry recognizes the need to create products that lead the way to more secure software. Until then, popular trends in security threats will continue to dictate software development. The outlook for the future remains positive, as professionals formally trained in secure product development start to enter the workforce. This new generation can recognize risk and encourage the use of a secure development lifecycle. Until then, a number of bad security products will remain on the market, and will generate huge profits for the security industry. Advertisers and other authoritative figures will compel consumers to purchase additional security products, without providing evidence that such products will work reliably or effectively. These products will continue to be driven by the latest trends in security, scaring consumers into compliance by playing on their fears of not doing enough to protect themselves. Sources http://www.nytimes.com/2007/01/29/technology/29ecom.html http://www.virustotal.com/estadisticas.html ------------------------------- Daniel Guido Polytechnic University Cyber Security Awareness Week 2007 Essay Contest It's Not About Security Products The United States, much like the rest of the world, creates laws and regulations to protect its citizens from dangers ranging from tainted food to hazardous children's toys. While these domains are regulated by governments for the safety of its citizens, another consumer product, computer software, is very loosely regulated, if at all. The United States has the Consumer Product Safety Commission to evaluate the safety of consumers products, Underwriter's Laboratory to certify products for safety, and the FDA to regulate the food industry (among others), however, no such organization exists to oversee the safety of an arguably more important product: computer software. The lack of regulation from an oversight body is alarming because there are no set standards for what is considered acceptable computer software. While there are laws which allow the government to prosecute individuals who spread malicious software, there is very little that can be done to those who negligibly release insecure software. Computer software products are one of the only products sold in the United States that have no safety regulations. Other industries recognize, address, and deal with safety issues in an organized way as seen by the swift recall of toys by Mattel after the Consumer Product Safety Commission determined the toys contained lead. However, in computer technology, problems caused by safety issues can both lie dormant and can be much more disastrous: they have the potential to affect more people with more immediacy than any other type of commercially available products. If major structural security problems were found in Microsoft's Internet Explorer or a critical piece of the Windows operating system, it would be virtually impossible to find a hospital or a government agency that would escape unaffected from such an event. Additionally, software companies are under no obligation to notify the public to the existence of such a flaw, and commonly, they do not. This threat becomes more significant when one realizes that most users of computer technology do not understand the intricacies of how computer software works. Software that has been patched looks the same as software that has not. This information asymmetry puts the consumer at a great disadvantage in even determining whether they are at risk and suggests that government regulation may be necessary to level the playing field. Looking at regulation in the consumer health care industry, in response to a batch of contaminated vaccines that killed 13 children Congress passed the Biologics Control Act in 1902 which laid the groundwork for what would later become the Food and Drug Administration (FDA) in 1906. Since then, the FDA's authority has expanded to cover the safety of food, dietary supplements, drugs, blood products, and so on. Testing done by the FDA minimizes such events and uncovers safety issues before products reach the market. If safety issues are uncovered after a product is in the hands of consumers, the FDA has shown itself to be highly competent in using its authority to stop production and importation of unsafe products as well as issue recalls. This can be seen in the recent counterfeit Colgate toothpaste recall earlier this summer. Regulation of the health care industry began in the early 1900's after thousands of years of medicine and snake oils. The clearly defined processes which their industry follows to deal with safety events are the result of decades of development and refinements. When we look at the technology industry, it is still in its infancy and is poorly understood in comparison. Yet, we rely on it as much if not more. Aspects of information technology have worked their way into our banking services, health care, airline travel, public utilities, our home office, and so on. Even when considered alone, the technology industry makes billions of dollars headlined by such stars as Google, Facebook, Microsoft, and Apple. However, as our use of information technology has increased, so has our exposure to security problems in the underlying technology. We saw these problems reach a peak in the summer of 2003 when a number of high profile worms affected Microsoft products (SQL Slammer, Blaster, Welchia, Sobig, Sober) and one was even potentially the cause of the North-East blackout in August of that year. This fact makes the development of such processes for the technology industry all the more pressing as the potential for disaster is enormous and highly likely. Yet, public response to such catastrophic events has been low and industry-wide actions taken to prevent their recurrence have been ineffective, non-existent, or quickly forgotten about. It seems that in the minds of the public, security issues have become so commonplace that they are accepted as a fact of life. Home users are targeted again and again for "user education" and are told to buy anti-virus software, firewall software, anti-spyware software and so on however, even with all these layers of protection, they are still vulnerable due to the inherently faulty code on the systems that the security products are trying to protect. No amount of security products can make up for poorly written software permeating all aspects of your computing environment. The constant patching and updating users must endure is a testament to the shoddy products that are released to the market in the first place. Although there has been little push to regulate computer software, certain agencies and firms have begun to realize the importance of finding and fixing flaws in widely used software and, instead of selling you another product, have done so in a way one might call a public service. In an attempt to protect all users of information technology against security problems, the Department of Homeland Security recently hired Coverity, a private software company that develops code scanning tools, to identify flaws in open source applications critical to the functioning of the Internet and alert their developers before attackers have a chance to find those flaws themselves and exploit them. This project has been exceedingly well received both by developers and by users of the applications and has resulted in the discovery and remediation of thousands of potential flaws among dozens of critical software projects. Actions like those taken by the DHS have resulted in a greatly improved software ecosystem in a way that another security product could never have provided. The proactive approach taken by the Department of Homeland Security in its partnership with Coverity is an excellent example of a method that should be implemented for the entire computer industry and have its reach expanded. While various security vendors have released product after product and update after update, each claiming that they are the end-all for your security needs, DHS has provided an invaluable service to all users of technology in improving the structural integrity of software programs we all use and rely upon. Regulation does not have to take the form of the FDA, which requires that all drugs be tested and approved for use prior to reaching the market. Rather, a publicly-funded organization which tests and certifies the structure and code security of software as they reach the market and is involved in releasing proactive security measures back into the industry would be highly beneficial in fixing flaws before they become real problems. Such a certification authority, as Underwriter's Laboratory does for many products and the National Highway Traffic Safety Administration does for cars, would help level the information asymmetry currently present when consumers are attempting to make informed decisions about the software products they buy. In today's computer industry, consumers are bombarded with products which attempt to fix faults in another product. This leads to inefficiencies, increased costs, and confusion for the consumer. Other industries, such as the food industry and financial services, have become regulated over time to fix such inefficiencies (particularly problems of inadequate information) and to protect the safety of the consumer. Given the explosive pace of the current software market, time to market times are getting smaller while software is getting more complex. The aggressive and competitive nature of the software market reduces the testing time for flaws, integrity, and reliability and without a consumer who is able to differentiate, poorer quality products flood the market and the consumer is the victim. Much like the consumer who needs a vaccine, but understands very little about the nature and reasoning behind it is protected by the Food and Drug Administration, the average software consumer knows little about what is going on inside their computer. This situation must be helped by a public organization so that our computing experience is safe, reliable, and dependable. Government participation in aid of software development is a necessary evolutionary step to alleviate the security problems which our products face today. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Is the security industry like a lemon market? Daniel Guido (Jul 23)
- Re: Is the security industry like a lemon market? Daniel Guido (Jul 23)