Parting thoughts 3: taking security seriously

Posted by   Martijn Grooten on   Dec 19, 2019

At the end of this month, I will step down as Editor of Virus Bulletin. Before I do so, I will share some 'parting thoughts' in five blog posts, based on my experience working in the IT security industry.

'Cyber terror threat!' was the headline of a press release a security vendor's marketing team sent to journalists this week, informing them about a WhatsApp vulnerability for which a patch had already been rolled out. And though this was a rather extreme example, security vendors tend to be rather over the top when it comes to their warnings about security issues.

I do wish nuance would sell better in security, and I applaud those who are trying to sell in a more nuanced way, but I acknowledge I am not a marketing person and that maybe I shouldn't tell marketing people how to do their job.

But I am someone who cares about optics. And the optics when it comes to security products' own security aren't always that great.

Too often security vendors are caught using poor practices when it comes to security and privacy. While one would expect a holier-than-thou approach when it comes to their own products' security, they tend to be followers rather than leaders when it comes to many best practices, and sometimes slow followers at that.

I have spent a great deal of time in the past five years talking to vendors about this issue and have given a few talks on the subject at semi-closed vendor events. And I know the reason for this lack of proactivity in terms of security is neither unwillingness nor a lack of understanding of the best practices. It is simply that making the required changes would be expensive, and there is often no real customer demand for it.

And, in fairness, customers aren't entirely wrong: though weaknesses in security products are sometimes exploited in attacks, it is still relatively rare and a lot of issues are mostly theoretical. But then, this also holds true for quite a few of the security issues in other products. And this rarely stops security vendors from making a fuss about it on their blogs.

More importantly, we know that good security has long-term benefits that are more than theoretical. So let us hold ourselves to the same high standards we set for others and turn security vendors into leaders rather than followers in this space.




Latest posts:

VB2019 paper: APT cases exploiting vulnerabilities in region-specific software

At VB2019, JPCERT/CC's Shusei Tomonaga and Tomoaki Tani presented a paper on attacks that exploit vulnerabilities in software used only in Japan, using malware that is unique to Japan. Today we publish both their paper and the recording of their…

New paper: Detection of vulnerabilities in web applications by validating parameter integrity and data flow graphs

In a follow-up to a paper presented at VB2019, Prismo Systems researchers Abhishek Singh and Ramesh Mani detail algorithms that can be used to detect SQL injection in stored procedures, persistent cross-site scripting (XSS), and server‑side request…

VB2020 programme announced

VB is pleased to reveal the details of an interesting and diverse programme for VB2020, the 30th Virus Bulletin International Conference.

VB2019 paper: Cyber espionage in the Middle East: unravelling OSX.WindTail

At VB2019 in London, Jamf's Patrick Wardle analysed the WindTail macOS malware used by the WindShift APT group, active in the Middle East. Today we publish both Patrick's paper and the recording of his presentation.

VB2019 paper: 2,000 reactions to a malware attack – accidental study

At VB2019 cybercrime journalist and researcher Adam Haertlé presented an analysis of almost 2000 unsolicited responses sent by victims of a malicious email campaign. Today we publish both his paper and the recording of his presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.