Stuck in a Rut—Still


[tags]security marketplace, firewalls, IDS, security practices, RSA conference[/tags]
As I’ve written here before, I believe that most of what is being marketed for system security is misguided and less than sufficient.  This has been the theme of several of my invited lectures over the last couple of years, too.  Unless we come to realize that current “defenses” are really attempts to patch fundamentally faulty designs, we will continue to fail and suffer losses.  Unfortunately, the business community is too fixated on the idea that there are quick fixes to really investigate (or support) the kinds of long-term, systemic R&D that is needed to really address the problems.

Thus, I found the RSA conference and exhibition earlier this month to be (again) discouraging this year.  The speakers basically kept to a theme that (their) current solutions would work if they were consistently applied.  The exhibition had hundreds of companies displaying wares that were often indistinguishable except for the color of their T-shirts—anti-virus, firewalls (wireless or wired), authentication and access control, IDS/IPS, and vulnerability scanning.  There were a couple of companies that had software testing tools, but only 3 of those, and none marketing suites of software engineering tools.  A few companies had more novel solutions—I was particular impressed by a few that I saw, such as the policy and measurement-based offerings by CoreTrace, ProofSpace, and SignaCert. (In the interest of full disclosure, SignaCert is based around one of my research ideas and I am an advisor to the company.)  There were also a few companies with some slick packaging of older ideas (Yoggie being one such example) that still don’t fix underlying problems, but that make it simpler to apply some of the older, known technologies.

I wasn’t the only one who felt that RSA didn’t have much new to offer this year, either.

When there is a vendor-oriented conference that has several companies marketing secure software development suites that other companies are using (not merely programs to find flaws in C and Java code), when there are booths dedicated to secured mini-OS systems for dedicated tasks, and when there are talks scheduled about how to think about limiting functionality of future offerings so as to minimize new threats, then I will have a sense that the market is beginning to move in the direction of maturity.  Until then, there are too many companies selling snake oil and talismans—and too many consumers who will continue to buy those solutions because they don’t want to give up their comfortable but dangerous behaviors.  And any “security” conference that has Bill Gates as keynote speaker—renowned security expert that he is—should be a clue about what is more important for the conference attendees: real security, or marketing.

Think I am too cynical?  Watch the rush into VoIP technologies continue, and a few years from now look at the amount of phishing, fraud, extortion and voice-spam we will have over VoIP, and how the market will support VoIP-enabled versions of some of the same solutions that were in Moscone Center this year.  Or count the number of people who will continue to mail around Word documents, despite the growing number of zero-day and unpatched exploits in Word.  Or any of several dozen current and predictable dangers that aren’t “glitches”—they are the norm.  if you really pay attention to what happens, then maybe you’ll become cynical, too. 

If not, there’s always next year’s RSA Conference.


Posted by Rob Morton
on Saturday, February 24, 2007 at 11:48 AM

RSA for some time has been a marketing conference for vendor products.  “Security” vendors have had some success with getting rid of vulnerabilities through black lists, patch management systems, or other added on security features.  For this reason, there has been an increase in confidence of add ons.  However, the real problem is that people don’t look to the horizon as you stated at the end of your blog post.  The convergence of exisiting systems such as traditional telecommunications equipment with the Internet (VoIP) will increase the number of systems that could be exploited.  Second, we will see the convergence of attacks, because attackers will look to expand their capability (as if they don’t already have enough) in the form of DDoS to capitalize on extortion schemes for financial gain (one of many examples).  Industry has already seen this type of attack in the form of botnets, an army of computers (100’s to thousands of systems) usually controlled by an attacker to achieve a desired goal.  Georgia Tech is one of the universities leading the research on this front.  A good introduction article can be found at  The capability now to disable or take over other systems increases, because an attacker has the computing resources of yet another system.  While some added on features will allow reduce the security of yesteryear, I fear that the strategic focus of companies like Microsoft are not adaquetly looking at the horizon despite their claims.  They are now finally building in security features that are solving yesterday’s problems.  Simplifying what a system does for a specific task is a realistic approach to solving future security problems, but I do not see this fundamental principle being a part of a company’s business model.  Without this business change in leading companies like Microsoft, I fear the same systems of today will be vulnerable tomorrow.

Posted by Andy Steingruebl
on Saturday, March 17, 2007 at 10:55 AM


In all fairness none of the companies you pointed to helps much either in a commodity poorly architected inherently not-securable world….

I don’t care how many digital signatures we verify, how many packets we inspect, if we rely on untrusted endpoint systems.

Yes, its ironic that Bill Gates is giving the keynote at a security conference.  Equally hilarious or perhaps disconcerting is that I’m guessing 50%+ of the tools on the show floor run on top of Windows and try to enforce security policy. 

It reminds me of the scene in Monty Python’s Holy Grail…

King of Swamp Castle: When I first came here, this was all swamp. Everyone said I was daft to build a castle on a swamp, but I built in all the same, just to show them. It sank into the swamp. So I built a second one. That sank into the swamp. So I built a third. That burned down, fell over, then sank into the swamp. But the fourth one stayed up. And that’s what you’re going to get, Lad, the strongest castle in all of England.

I think we’re still building that first, perhaps the second, castle.

Posted by About RSA 2007
on Sunday, August 12, 2007 at 04:15 AM

[...] Eugene Spafford has a nice analysis about RSA 2007 [...]

Leave a comment

Commenting is not available in this section entry.