Posted by Martijn Grooten on Dec 19, 2019
At the end of this month, I will step down as Editor of Virus Bulletin. Before I do so, I will share some 'parting thoughts' in five blog posts, based on my experience working in the IT security industry.
'Cyber terror threat!' was the headline of a press release a security vendor's marketing team sent to journalists this week, informing them about a WhatsApp vulnerability for which a patch had already been rolled out. And though this was a rather extreme example, security vendors tend to be rather over the top when it comes to their warnings about security issues.
I do wish nuance would sell better in security, and I applaud those who are trying to sell in a more nuanced way, but I acknowledge I am not a marketing person and that maybe I shouldn't tell marketing people how to do their job.
But I am someone who cares about optics. And the optics when it comes to security products' own security aren't always that great.
Too often security vendors are caught using poor practices when it comes to security and privacy. While one would expect a holier-than-thou approach when it comes to their own products' security, they tend to be followers rather than leaders when it comes to many best practices, and sometimes slow followers at that.
I have spent a great deal of time in the past five years talking to vendors about this issue and have given a few talks on the subject at semi-closed vendor events. And I know the reason for this lack of proactivity in terms of security is neither unwillingness nor a lack of understanding of the best practices. It is simply that making the required changes would be expensive, and there is often no real customer demand for it.
And, in fairness, customers aren't entirely wrong: though weaknesses in security products are sometimes exploited in attacks, it is still relatively rare and a lot of issues are mostly theoretical. But then, this also holds true for quite a few of the security issues in other products. And this rarely stops security vendors from making a fuss about it on their blogs.
More importantly, we know that good security has long-term benefits that are more than theoretical. So let us hold ourselves to the same high standards we set for others and turn security vendors into leaders rather than followers in this space.