Youch! Just when the propeller heads thought the tide had turned in the "security vs. features" war, along comes proof that shiny-blinky things* are exactly what the majority of security pros covet most in the IT security products they buy.
My fear is that the demand for features and functionality will lead to "bad" shiny-blinkiness: Features for features' sake; features at the expense of security engineering.
As part of our 2003 Product Survey, we asked more than 1,100 IT security professionals what they valued most in a security product. Nearly 60 percent said "features and functions." About one-fifth of respondents said they valued the product's fit into their existing infrastructure. Less than 10 percent mentioned the product's own security.
Again, I say: Youch.
It's a rite of passage for security geeks to complain about vendor emphasis on features over security. You don't have to look far to find list servers or chat rooms or seminars where feature-bashers gather to decry security's sacrifice at the altar of shiny-blinkiness. The main target, of course, is the big-time NOS and app vendors--primarily the big "M," but also the big "N," the big "O," the big "P" and others.
Recently, the unexpected happened: These vendors actually got the message (or at least pretended to). Oracle and PeopleSoft and SAP and Novell began ratcheting up security in each new release. Even Microsoft pledged to focus on security and scale back feature creep. In Win2003, it appears it delivered on its promise.
Still, we've got a long, long way to go before we hail the Age of Robust Computing. Exhibit A: the seemingly endless supply of security startups offering one-off tools to detect, monitor, manage, block and fix security vulnerabilities and attacks in and on our systems. "Vendor of the week" syndrome is a result of the core infrastructure not cutting it, security-wise. Ironically, it's also a manifestation of our demand for more shiny-blinkiness.
Security Should Be Different, Right?
From the earliest days of commercial IT security, we naturally expected security products to be "different" from infrastructure software. Surely, our vendor brethren would pride themselves on emphasizing robustness over features. Who cares if your firewall has a nice GUI? If it fails open after an IP frag attack, what's the point?
But now what are security vendors supposed to think? We're telling them that we like shiny-blinky things in our security gear! Security and robustness? Bah!
Actually, there's a long history of security products riding to glory on the back of shiny-blinkiness. Take the firewall market. DEC beat Check Point to market by nearly two years with DEC SEAL. But Check Point's introduction of a fancy GUI for rule-set administration in FireWall-1 quickly trumped DEC SEAL's CLI, catapulting FW-1 into the dominant position it still holds today.
Another example: ISS's Internet Scanner was the first VA tool to display scan results in colorful pie charts and bar graphs, prompting thousands of jaw-droopy suits to hand the security guy a blank check.
Both of these are examples of "good" shiny-blinkiness. Internet Scanner's reports brought security to the corner office. And FW-1's GUI made firewalling accessible to "normal" people. You could even argue that the interface made it more secure than a product that was less intuitive and therefore more prone to misconfiguration.
But that's "good" shiny-blinkiness. My fear is that the demand for features and functionality will lead to "bad" shiny-blinkiness: Features for features' sake; features at the expense of security engineering. We've already been through that with the NOS and infrastructure software vendors. Heaven forbid some security vendor reads this, turns to his product dev guys and says, "Hey Charlie, scrap the strong authentication! What we really need is a new shiny-blinky thing!"
As always, the market will be the judge and jury. With luck, we'll end up with market-dominating products that balance functionality and robustness. Isn't that what security is all about?
*Tip o' the hat to Black Hat founder Jeff Moss, who coined this highly technical term.
Andrew Briney is editor-in-chief of Information Security.