Security 7 Award winners tackle important information security issues


This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."

Download it now to read this article plus other related content.


industry progress and attitudes
Progress Report by Gene Spafford

Uniform security among IT systems is nonsensical, yet that attitude still prevails in many instances.



Gene Spafford
  • TITLE Executive director, Center for Education and Research
  • in Information Assurance and Security (CERIAS)
  • Organization Purdue University
  • INDUSTRY Education
    • Founder and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University
    • Renowned adviser to government

    Requires Free Membership to View

    • and industry.
    • Along with Steve Weeber, is credited with defining the concept of software forensics and aiding in the first prosecution of a virus writer.
    • Developed and released the COPS network security scanner.
    • Along with Gene Kim, developed the first free intrusion detection system, Tripwire.
    • Coauthored the seminal Practical Unix Security with Simson Garfinkel.


I'd like to introduce a theme I have been speaking about for nearly two decades by taking a long view of computing. Fifty years ago, IBM introduced the first all-transistor computer (the 7000 series). Transistors were approximately $20 apiece, and storage was about 10 cents per byte (both measured in current dollars). Costs and capabilities have changed by a factor of tens of millions in five decades.

Yet, despite the incredible transformations in hardware, operating systems, databases, languages and more, overall information security may be worse now than it was in the 1960s. We're still suffering from problems known for decades, and systems are still being built with intrinsic weaknesses, yet now we have more to lose with more systems coming online every week.

Why have we failed to make appreciable progress? In part it is because we've been busy trying to advance on every front, and have every system perform all possible tasks. There is a general lack of awareness that security needs are different for different applications; instead, people seek uniformity of OS, hardware architecture, programming languages and beyond. Ostensibly, this uniformity is to reduce purchase, training and maintenance costs, but fails to take into account risks and operational needs. Such attitudes are clearly nonsensical, so it is perplexing they are still rampant in IT.



This was first published in October 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: