Access your Pro+ Content below.
Schneier-Ranum Face-Off on the dangers of a software monoculture
This article is part of the Information Security magazine issue of November 2010
Point: Bruce Schneier In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would be interesting to revisit the debate. The basic problem with a monoculture is that it's all vulnerable to the same attack. The Irish Potato Famine of 1845--9 is perhaps the most famous monoculture-related disaster. The Irish planted only one variety of potato, and the genetically identical potatoes succumbed to a rot caused by Phytophthora infestans. Compare that with the diversity of potatoes traditionally grown in South America, each one adapted to the particular soil and climate of its home, and you can see the security value in heterogeneity. Similar risks exist in networked computer systems. If everyone is using the same operating system or the same ...
Access this PRO+ Content for Free!
Features in this issue
Slew of McAfee product initiatives pique interest of customers but industry analysts say the security giant needs to sharpen its focus.
Moving IT operations to the cloud requires careful due diligence to maintain compliance with HIPAA, GLBA and other regulations.
The economy is dragging down pay for information security professionals but not dampening their dedication.
Re-architect your provisioning system into a first line of defense for access management.
Columns in this issue
To cure the botnet plague, Microsoft wants to quarantine infected consumer PCs until they're remediated.
Application security reviews miss a critical vulnerability by not ensuring functional security.
Security experts Bruce Schneier and Marcus Ranum debate the impact of a software monoculture on computer security.