The magical security unicorn.

The purpose of security software is to make other software more secure. This is what the security industry claims, sometime with legit arguments, sometime the industry tries to chase unrealistic ideals, as a recently linked article suggest.

And I couldn’t agree more. The security industry approaches the problem from the wrong end, most of the time. With keeping in mind the principles of security, Integrity, Availability and Authenticity, security software helps mitigate threats in the class of Vulnerabilities, Exploits and malicious software and payloads. Products available to purchase can be considered in classes of, Encryption (Integrity and Authenticity), for data in rest (disk encryption, file encryption) or for data in transit (VPN or protocol encryption). Backup is clearly saving Availability, but most companies in the security industry consider this a different topic. Then there are products to limit access, e.g. Network Layer Firewalls, which have a very distinct functionality. Up to here, things are very clear and deterministic. When it comes to Application Layer Firewalling, e.g. Web Application Firewalls things start to get fuzzy.

Products that aim to protect from any unknown threat, malware or payload, like Anti Virus, Anti Spam, Intrustion Prevention and even Vulnerability Scanners, provide information that is know already.

Now that a particular exploit is know, protection for it can be provided in two distinct locations: the vulnerable software can be patched to remove the problem. Or, what the security industry offers, have another piece of software in place that tries to protect from something that is known already. And with that, raising system complexity and opening another vector for vulnerability.

The sustainable approach is to invest in secure software and architecture, that has built in encryption, authentication and redundancy. This is something the security industry can provide as technology vendors, rather than chasing the magical unicorn.