Feature

How Sarbanes-Oxley changed the information security profession

Ezine

This article can also be found in the Premium Editorial Download "Information Security magazine: Reflections on the impact of Sarbanes-Oxley."

Download it now to read this article plus other related content.

 

Face Off

Marcus Ranum
I agree regarding your gloomy view of the future. It's ironic the counterculture "hackers" have enabled (by providing an excuse) today's run-patch-run-patch-reboot software environment and tomorrow's software Stalinism.

I don't think we're going to start building real security. Because real security is not something you build--it's something you get when you leave out all the other garbage as part of your design process. Purpose-designed and purpose-built software is more expensive to build, but cheaper to maintain. The prevailing wisdom about software return on investment doesn't factor in patching and patch-related downtime, because if it did, the numbers would stink. Meanwhile, I've seen purpose-built Internet systems run for years without patching because they didn't rely on bloated components. I doubt industry will catch on.

The future will be captive data running on purpose-built back-end systems--and it won't be a secure future, because turning your data over always decreases your security. Few possess the understanding of complexity and good design principles necessary to build reliable or secure systems. So, effectively, outsourcing--or other forms of making security someone else's problem--will

    Requires Free Membership to View

continue to seem attractive.

That doesn't look like a very rosy future to me. It's a shame, too, because getting this stuff correct is important. You're right that there are going to be disasters in our future. I think they're more likely to be accidents where the system crumbles under the weight of its own complexity, rather than hostile action. Will we even be able to figure out what happened, when it happens?

Folks, the captains have illuminated the "Fasten your seat belts" sign. We predict bumpy conditions ahead.


 


Bruce Schneier is CTO of BT Counterpane and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World. For more information, visit his Web site at www.schneier.com.

Marcus Ranum is the CSO of Tenable Network Security and is a well-known security technology innovator, teacher and speaker. For more information, visit his Web site at www.ranum.com.

Send comments on this column to feedback@infosecuritymag.com.

 

This was first published in January 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: