Strategic direction: security ebb

1 Reply

Something quite prominent happened in the security field over the last week. It is a strategic move so I am going to talk about it here rather than on Holy Hash! although it would be interesting to the security folks too.

So, what happened, you ask? Ah, nothing so spectacular that TV shows would interrupt their evening program for but so momentous that I wish they would. It all started with the little exercise at RSA Conference where a couple of so-called “security leaders” declared that security is the territory of really large companies and anyone smaller should just forget about it. I already wrote my opinion about the basic idea of ignoring risks in an area where an incident, according to Coverity, runs on average to 7 million dollars but can easily be a couple of orders of magnitude more.

It would all go away into the history unnoticed if it was not for Bruce Schneier who suddenly chipped in with his commentary that he agrees to the gentlemen in question. Now, Bruce is not stoopid and he is the head of security for BT. To explain to our full satisfaction how come that his words go counter to what he usually preaches in his books and security life, we have to take it as the corporate direction from BT. Otherwise why would he go to the trouble of participating in this publicity stunt?

So here is a sand castle of conspiracy theory for you to contemplate. Notice now, how we suddenly have 3 companies largely unrelated to each other preaching the same message on highly respected channels. First, let’s summarize the message. I think it could be said along the lines of:

Only really large corporations can afford to invest in security. Small companies cannot justify the investment in security. Unless a company suffers a security problem the company must ignore security completely.

When I re-read that, I cannot help myself wondering: “where is IBM?” They should be in this game, they have been at it for decades! But I digress.

Whether the message is in earnest, as a joke or in pretense does not matter. What matters is the content of the message and the credibility of the source. Using serious well-known channels like RSA Conference and Bruce Schneier practically guarantees a large outreach for the message and the credibility of “beyond serious doubt” being automatically stamped all over it.

So this is the message and it is easy to imagine that the “smaller” companies would follow the advice and will not take care of their own security and the security of their own products. What will happen? They will lose all security related expertise, security developers and so on. So they will have to outsource the security somewhere else when accidents happen. And security accidents happen all the time, the ignorant companies will not have to wait long.

So I can see how this is a very profitable direction for BT, that sells security solutions. I can see how that is profitable for SilverSky, that sells security services. But how is it profitable for Adobe? Well, it probably isn’t. John Viega and Brad Arkin have spent a lot of time together and Cigital will certainly benefit, so I am not surprised at the performance from amis cochons even if it is irrelevant for Adobe.

Anyhow, here is an attempt at a new trend and we will see how things move on. I suppose we have to allow for several possibilities: (1) this is just a one-off publicity stunt for the people and companies in question; (2) this is companies “testing waters” for the new “approach to security” and (3) this is the beginning of a shift towards acknowledged massive insecurity driven by those interested parties. On a hunch, I would vote for the number three.

Mitigating risks … is a waste of money?

1 Reply

There was an interesting talk at one of the panels at the RSA Conference, where SilverSky and Adobe claimed that investing in security is a waste of money. Their message is simple and compelling:

“For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”

Although they say that this was all in pretense, we all know it was not, companies large and small try to avoid fixing problems as long as they can, waiting for customers to complain loud before ever doing anything. Basically, this is a risk that companies rate as unimportant because of its low perceived rate of occurrence.

The problem with this kind of risks that they cannot be properly rated. The probability of these risks is hard to rate because the data is basically unavailable. And the impact of the risk is underrated because of low perceived probability. People tend to ignore such risks.

But the companies, can they also afford to ignore such risks? What has to be considered is that a serious security problem may easily put a company out of business. Even if the company stays in business, the impact to the image of the company may be such that it will take several years to recover. These risks are what typically called “existential” or “terminal” risks.

English: A qualitative categorization of diffe...

Companies, for the most part, must account for and mitigate certain risks that would place them out of business. Doing otherwise is called gambling and is totally irresponsible towards the shareholders.

Everything is a hammer…

Leave a reply

Image representing Nokia as depicted in CrunchBase

It looks like for Stephen Elop, the Microsoft  manager in charge of Nokia, everything looks like a Windows computer. What is all this nonsense about Nokia delivering cheap smartphones in developing countries? That market is already taken, first by LG and Samsung and then a couple times over by Chinese manufacturers. He ran the most successful mobile company in the world into the ground and he should be proud of that achievement. I am sure he is. Can you imagine what it takes, what kind of dedication, to actually take the market leader and run it into the ground, destroy everything very quickly and systematically? It is a mind-boggling achievement. We will be watching Stephen for his next career move to see what company will be brought to its knees next.

Related articles

Software Security Philosophy

Leave a reply

What is “security”? Well, not in broad sense, that is, but in software security? What does it mean: to develop secure software? What do we understand to fall into the realm of software security?

I tell you what I mean when I say “software security”. For me, the software security means to bring the intent of the original designer to the customer.

This is very simple. The designer had some idea in mind when designing the software. He had some intention for the software to function in a particular way. That mental picture is translated into design, brought over into development, translated into source code, translated into binary, delivered, installed and configured at the csutomer’s site. And our task is to ensure that what operates now at the customer’s site reflects exactly what developer had in mind. If it does not – we have a breach of security.

I know that this is a very broad definition and it encompasses many areas traditionally thought to be Continue reading

State of security – still miserable

Leave a reply

Even after all these years the software industry seems to be ever in a state where we believe that if vulnerability exists but is unknown to the public it cannot be exploited, so our software is “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of reporting it or helping to fix it. Having “hidden” vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they will be exploited.

Security is a fascinating subject even for uninitiated not to mention Bruce (who makes money with it no slower than the US Treasury printing presses) that may be looked at from different perspectives and talked about in several management dialects, including McKenzie (I do not speak it but I can understand it in a round-about sort of ways). Talking about security often gives you a cozy feeling. And all those diagrams, tables and, oh my, vectors and mitigations, they are so neat and kosher… until someone starts asking hard questions. Pray this someone is not your customer.

Talking about security does not help. Keeping it quiet does not help either. Only doing does.

The Future of NFC Payments

Leave a reply

Someone asked me to provide feedback on an article regarding The Future of NFC Payments (yes, capitalized, like in “Big Future”). I do not cherish the idea of giving up my contact details for a brochure download, so I did not read the actual paper. I cannot imagine why people would not want their ideas to be widespread. I think it is silly to force people to register when you want them to read your articles, for they will simply read it elsewhere.

Anyhow, back to the subject of mobile payments with NFC – that’s what the paper claims to be about. I do not really know what they said inside but seeing “NFC was hailed as one of the biggest trends for mobile operators for 2011″ in the blurb is enough to get an idea of what might be on the inside.

Now, let’s be clear that mobile payments are a fighting ground for two large forces: the banking industry and the mobile service industry. Both of them deal with a lot of customers and a lot of cash. And none of them would willingly give up the payment transactions stream to another. One, the banking industry, owns the terminals and the networks, the payment infrastructure. The other, the mobile industry, owns the handset and the SIM card, the means of payment.

So, until I hear that those two – mobile operators and banking associations – came into some sort of an agreement between themselves on some terms regarding the mobile payments, I am not going to lose my sleep over any imagined mobile payments trends, with or without NFC, this year.

Mind you, there is always a chance for a small handset manufacturer like Apple to come up with a painfully obvious scheme that Nokia simply cannot afford…. But that is another story.

Near Field Communication (NFC)

Leave a reply

I stumbled upon an article in PopSci (Popular Science?) on-line publication titled Everything You Need to Know About Near Field Communication. My opinion is that many of the things described there reflect a lot of wishful thinking on the part of the smart card industry players. Especially where they go on about “everything has just started to come together”, which is exactly the same thing they were saying for the last five years or so. I was on the inside, I should know.

I think that for the more inclined to actually understand the technology in easy words, I would suggest simply reading the original NFC White Paper written by myself years ago and published by Ecma International. Trust me, nothing much has changed in the meantime, all concepts still apply today as they applied then.