How to Improve Security: Make Users Understand It
What will it take to make software more secure? According to Marc Maiffret of BeyondTrust, the developers themselves need to work harder to plug holes -- which is certainly true. But another vital part of the equation is making the public understand and demand security features. Almost no one talks about this, but here's why they should.
What will it take to make software more secure? According to Marc Maiffret of BeyondTrust, the developers themselves need to work harder to plug holes—which is certainly true. But another vital part of the equation is making the public understand and demand security features. Almost no one talks about this, but here's why they should.
In an op-ed piece published April 4 in New York Times, Maiffret makes the case that software companies aren't working hard enough to make their products secure. As CTO of BeyondTrust, a major security vendor with a large channel presence whose recent moves include a number of important acquisitions, Maiffret knows a thing or two about why hackers seem to have it so easy. He's right that developers need to adopt a new mindset that prioritizes security, instead of regarding "security as an add-on feature."
But I'd argue that the problem runs deeper than the development process. It also reflects consumers' lack of understanding of what security actually means, and what kind of features provide it. Until the people making the purchases have a firmer grasp of this issue, software companies have little financial incentive to make their products more secure.
Today, most consumers have never heard of, let alone understand, things like buffer overflows or code injection. That's not surprising, since these are pretty esoteric topics. And it doesn't help that media coverage of "hacking" attacks rarely explains exactly which vulnerabilities the intruders exploited.
Yet if consumers had a basic understanding of what makes software insecure, they would demand features that address those vulnerabilities. And they would reward software companies that provide them with their business.
This isn't to say, of course, that everyone should be forced to complete a computer science degree. But one major—and feasible—improvement would be marketing that communicates on security features more directly, so customers would understand why they matter. It also wouldn't hurt for the channel to sharpen terms such as "hacking," which is currently used so broadly that it can mean almost anything—with the result that "anti-hacking" features often sound meaningless to consumers.
If this appears far-fetched, consider the automotive industry's approach to safety features. Most people who buy cars, I presume, don't understand all of the science behind anti-lock brakes or tire-pressure monitoring, for instance. But they have a basic idea of why these things make driving safer, and because of that, they are willing to pay for these features.
Computing need not be different. At the same time that developers work to make their products more secure out-of-the-box, the rest of the channel also should pursue opportunities to help users understand security enough for them to demand it. That, much more than government mandates or embarrassing vulnerability reports that mostly only circulate among geeks, will help raise security standards to a new level.