Yes, we do need the security industry….

A few weeks ago Bruce Schneier asked himself wheather the security industry is really necessary. If systems were naturally secure, security products and services wouldn’t be needed, right?

Problem is, not all security problems and vulnerabilities come from implementation or design errors. So, what constitutes a secure product? Is it zero vulnerabilities? Defense against bruteforcing the authentication? Ability to disallow actions that might cause harm to another system? It’s certainly problematic to define, even harder to implement.

For the sake of discussion, lets picture a product that is “secure by default”. Does that mean it will always be? We can’t be sure. I believe it’s just a matter of how hard we look, and without the security industry all we can be certain about is that we won’t look that hard. Sure, there would be no publically known vulnerabilities - but does that mean there aren’t any?

This entry was posted on May 13th, 2007 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.