|
industry progress and attitudes
Progress Report by Gene Spafford
Uniform security among IT systems is nonsensical, yet that attitude still prevails in many instances.
Gene Spafford
- TITLE Executive director, Center for Education and Research
- in Information Assurance and Security (CERIAS)
- Organization Purdue University
- INDUSTRY Education
- KUDOS
- Founder and executive director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University
- Renowned adviser to government and industry.
- Along with Steve Weeber, is credited with defining the concept of software forensics and aiding in the first prosecution of a virus writer.
- Developed and released the COPS network security scanner.
- Along with Gene Kim, developed the first free intrusion detection system, Tripwire.
- Coauthored the seminal Practical Unix Security with Simson Garfinkel.
[IMAGE]...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
I'd like to introduce a theme I have been speaking about for nearly two decades by taking a long view of computing. Fifty years ago, IBM introduced the first all-transistor computer (the 7000 series). Transistors were approximately $20 apiece, and storage was about 10 cents per byte (both measured in current dollars). Costs and capabilities have changed by a factor of tens of millions in five decades.
Yet, despite the incredible transformations in hardware, operating systems, databases, languages and more, overall information security may be worse now than it was in the 1960s. We're still suffering from problems known for decades, and systems are still being built with intrinsic weaknesses, yet now we have more to lose with more systems coming online every week.
Why have we failed to make appreciable progress? In part it is because we've been busy trying to advance on every front, and have every system perform all possible tasks. There is a general lack of awareness that security needs are different for different applications; instead, people seek uniformity of OS, hardware architecture, programming languages and beyond. Ostensibly, this uniformity is to reduce purchase, training and maintenance costs, but fails to take into account risks and operational needs. Such attitudes are clearly nonsensical, so it is perplexing they are still rampant in IT.
|
 |
|
