What happened to acting for the greater good of the security community? These days it's all about cold, hard cash.
Motivation--it's a fascinating human quality to observe. What makes people do the things they do? For some, it's about fame, respect or power. I recently worked at a humanitarian organization where people were motivated by social and economic injustices. Sadly, it appears that the security industry is evolving into one that revolves around the almighty dollar.
Over the past decade, the security community has operated on a host of unwritten rules and actions that served the greater good of the community. It was a relatively small community. Security researchers passed on bugs to the appropriate vendors. Patches and code were shared. Best practices and advice were given.
As the market evolves and moves from the server room to the boardroom, the rules of business change. It's all about cost-benefit analysis and free-market economies. Vulnerabilities are no longer monetized only by the bad guys. Today, even publicly-traded companies like VeriSign and 3Com are paying for security intelligence--sometimes several thousands of dollars per bug.
These moves are viewed as unsavory by some. And, while it is disheartening to see the dissolution of gentlemen's agreements, perhaps it is just the consequences of a maturing industry.
The community that formed 10-plus years ago has grown into a thriving market with lots of opportunities--good and bad. Large, established vendors such as Microsoft, CA, Cisco Systems and Oracle have entered the market. Organized crime has gotten into the picture. And money is, of course, the motivating factor.
While money drives business, strong relationships are based on trust. After a few missteps, Microsoft has been working with the security community to earn its trust (and respect). In "Is Microsoft Trustworthy Yet?" TechTarget's Windows Media Group news director, Margie Semilof, looks at Microsoft's relationship with users as it marks the fourth year anniversary of its Trustworthy Computing Initiative. While many users believe Microsoft has made great strides in securing its software, there is still much work to be done.
And money--or rather, the loss of money--has driven the credit card associations to work together to come up with an industry standard to protect credit card transactions. The Payment Card Industry standard, or PCI, is now forcing merchants to think about their security posture. Why? Well, one reason is the hefty fines that could be incurred by the merchants if they don't comply. (For more on the standard, see "Swiping Back")
As the industry grows, so does the sophistication of the threats. One of the more menacing, and annoying, forms of malware is spyware--so much so that it tops the list of security priorities for 2006 according to Information Security readers. But buyer beware: As you'll see in "Spy Catchers", some of the enterprise antispyware products are disappointing. Ed Skoudis and Tom Liston test seven enterprise-class antispyware products and find that most fall short on behavior-based protection and real-time detection. Another interesting finding from the review: In every case, the enterprise tool was far weaker by default than its consumer brethren.
If money does make the world go 'round, hopefully you'll find a few articles in this issue that will help you spend corporate dollars more wisely.