Despite the consistent heel nipping assertions that all I want to do is have people throw away their firewalls (I don't,) I think Shrdlu nailed it with a comment posted on Lindstrom's blog. I'll get to that in a second. Here's the setup.
Specifically, Pete maintains that Spaf's comments (see here) are an indicator that security isn't failing, rather we are -- and by design. We're simply choosing not to fix the things we ought to fix:
This is a simple one, from Dr. Eugene Spafford's blog:
We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it.
So, we have resources that are unallocated - we have time, money, and bodies we could throw at the security problem. We have the know-how and the tools to reduce the risk. And yet, we aren't doing it.
If security were "failing" there would be evidence of people either giving up entirely and reducing their IT investments and resources, or spending more money on success.
An interesting perspective and one I'm bound to agree with.
Here's Shrdlu's comment which I think really nails the reason I am going to continue to press the issue regardless; I think the general apathetic state of the security industry (as Pete suggests also) is the first obstacle to overcome:
Cherchez l'argent, mes amis. Mix in Spaf's argument with Pete's and add Marcus and Bruce, and you've got the answer: people don't think security is failing enough to spend money doing something about it. The externalities aren't intolerable. The public isn't up in arms; if anything, security breaches have reached the same level of public semi-awareness as bombing in Iraq -- it happens every day, everyone agrees how awful it is, and then they go back to their lattes.
We're not going to fire or retrain a generation of cheap programming labor to Do the Right Thing and redesign systems. Not until it hurts enough, and let's face it, it doesn't. All the FUD and hand-wringing is within the security industry. We're doing our jobs just well enough to keep things from melting down, so why should anyone pay more attention and money to something that's mediocre but not a disaster?
There's not a whole lot more that needs to be said to embellish or underscore that argument.
I'll be over here waiting for the next "big thing" to hit and instead of fixing it, we'll see SoX part Deux.
See, Shrdlu's not the only one who can toss in a little French to sound sophisticated ;)
/Hoff