The shoemaker

The old story goes "Everyone in town has good shoes, except the shoemaker's children - - - he's too busy making shoes". Isn't that a hoot, oxymoron and just plain ironic!

Now using that as a backdrop, what are your expectations of vendors which sell (or give away, it doesn't matter) security products? Should they not be the bastions of "this is how we do it? We use our own tools and have trapped / blocked all infections from the Internet and so can you".

One would think that leading by example and providing templates and profiles for layered security, gateway controls for protection of intellectual property, securing email, in-house DNS services, and methods of controlling those ubiquitous USB devices would just naturally be the forefront of the vendor's promotional collateral.

However, what is the experience in the market place today; one security vendor has been fooled into creating fraudulent SSL certificates and another vendor's product has been hacked. This raises the question "if the vendors themselves can not protect their systems, then can anyone secure an infrastructure?"

Yea, we all know there is no sliver bullet to kill this vampire and without real demonstrable results, there is no success story to promote (sigh). But until we try to do better, nothing will change. Have you ever heard the definition of insane - - - Insanity is doing the thing over and over but expecting somehow to find a different result. Change comes with (sometimes) a great deal of struggle and sometimes even with pain, but without change - - are we not insane?

When you rehab a structure, one of the first things you do is to ensure that the foundation is stable and sound. Why invest time, effort and money on a superstructure when the foundation is on the verge of collapse? The 'foundations of the Internet', amongst others are the TCP/IP system itself, the DNS system and basic Email services. TCP/IP is undergoing the conversion to IPv6 and if IPSEC is mandated, the transport system will be much better. The DNS system is has a new incarnation, DNSSEC which will block the DNS cache poisoning and give everyone authenticated responses. As for Email - - todays' SMTP is just hopeless. It is built upon terrible assumptions (I trust you and you can trust me) and that's not sufficient in the 21st century. A whole new Email system is required and that WILL be painful, but unless we are narcissistic and love to fight spam every morning, we are just volunteering to be committed until we make that effort.

I wonder, going back to the leading by example "this is how we do it" statement, if this is an opportunity to create a consortium of vendors to solve root causes? Perhaps a laboratory might be created to work on real solutions rather than continuing insanely.

In case you're wondering, What seeded this rant, it was the Infoworld.com March 25, 2011 article by Robert Lemos

Quote

"As attacks on the security infrastructure increase, we must ask if the firms responsible for our safety can protect themselves, much less us"