From product to process: Bruce Schneier's take on security

Bruce Schneier is one of the intellectual giants of our field. Author of several books, including the much-translated and appreciated Applied Cryptography, Schneier has written many insightful articles on fundamental aspects of information security.

In particular, his free "CRYPTO-GRAM" newsletter, published monthly by his company, Counterpane Internet Security, is always worth reading.

In the May edition, "CRYPTOGRAM" included the article, "Computer Security: Will We Ever Learn?" Schneier opens with his oft-quoted dictum, "Security is a process, not a product." (A corollary is "Security is a process, not a state.") After describing known problems with operating systems and encryption algorithms, he asks, "Is anyone paying attention?" Alas, "the answer to this question is: not really ... No one is paying attention because no one has to."

He explains that the lack of legal liability for incompetent software engineering lets manufacturers take the easy route of producing bad-quality security software. "Real security is harder, slower, and more expensive to design and to implement. Since the buying public has no way to differentiate real security from bad security, the way to win in this marketplace is to design software that is as insecure as you can possibly get away with."

I think there have been efforts in the right direction to improve security products. My former long-time employer, ICSA Labs (http://www.icsa.net), runs several industry consortia that focus on setting and applying standards of functionality and quality to different types of products (See www.icsa.net/html/certification/ for a description of the certification process at ICSA Labs). I know from personal experience with the consortia that the ICSA staff and the representatives from member companies take their jobs seriously.

For example, the Anti-Virus Product Developers' (AVPD) Consortium quickly raised the standards for antivirus products so the vendors could no longer compete on the basis of how many variants of malicious software they could identify. That information became common knowledge, and all of the participating antivirus scanner products were tested using the same test procedures.

Within a few years, this quality-assurance effort paid off for everyone. Users could count on effective antivirus functionality from any ICSA-certified antivirus product, and AVPDs could focus on user documentation and interface, ease of installation, and frequency of updates, rather than wasting time and effort trying to win a numbers game.

Schneier recommends that everyone concerned with security keep track of known vulnerabilities using alert services and network vulnerability scanners. He contends we ought to be monitoring all network components continuously. "Almost everything on your network produces a continuous stream of audit information: firewalls, intrusion detection systems, routers, servers, printers, etc. Most of it is irrelevant, but some of it contains footprints from successful attacks. Watching it all is vital for security, because an attack that bypassed one product might be picked up by another."

In a white paper, "Managed Security Monitoring", Schneier explains the results of his thinking: His company's focus on continuous monitoring of client security data as the heart of his company's business. He then describes every element of the new service that his company is offering subscribers.

This is a marketing document that provides sound information and sound reasoning and therefore makes Schneier and his colleagues look good. I wish more companies would govern their marketing departments to ensure this kind of excellence in their documentation. If you have any influence over such people, slip them a copy of this column.

Finally, take a look at the information on Schneier's new book, Secrets and Lies: Digital Security in a Networked World, on his Web site by clicking here. I am looking forward to getting a reviewer's copy and will report my impressions in another column.

[Neither the author nor AtomicTangerine have a business relationship with Counterpane Systems, and the above commentary is not to be construed as an endorsement of Counterpane Systems' services.]