Parting thoughts 3: taking security seriously

Posted by   Martijn Grooten on   Dec 19, 2019

At the end of this month, I will step down as Editor of Virus Bulletin. Before I do so, I will share some 'parting thoughts' in five blog posts, based on my experience working in the IT security industry.

'Cyber terror threat!' was the headline of a press release a security vendor's marketing team sent to journalists this week, informing them about a WhatsApp vulnerability for which a patch had already been rolled out. And though this was a rather extreme example, security vendors tend to be rather over the top when it comes to their warnings about security issues.

I do wish nuance would sell better in security, and I applaud those who are trying to sell in a more nuanced way, but I acknowledge I am not a marketing person and that maybe I shouldn't tell marketing people how to do their job.

But I am someone who cares about optics. And the optics when it comes to security products' own security aren't always that great.

Too often security vendors are caught using poor practices when it comes to security and privacy. While one would expect a holier-than-thou approach when it comes to their own products' security, they tend to be followers rather than leaders when it comes to many best practices, and sometimes slow followers at that.

I have spent a great deal of time in the past five years talking to vendors about this issue and have given a few talks on the subject at semi-closed vendor events. And I know the reason for this lack of proactivity in terms of security is neither unwillingness nor a lack of understanding of the best practices. It is simply that making the required changes would be expensive, and there is often no real customer demand for it.

And, in fairness, customers aren't entirely wrong: though weaknesses in security products are sometimes exploited in attacks, it is still relatively rare and a lot of issues are mostly theoretical. But then, this also holds true for quite a few of the security issues in other products. And this rarely stops security vendors from making a fuss about it on their blogs.

More importantly, we know that good security has long-term benefits that are more than theoretical. So let us hold ourselves to the same high standards we set for others and turn security vendors into leaders rather than followers in this space.

leader.jpg

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

VB2021 localhost call for papers: a great opportunity

VB2021 localhost presents an exciting opportunity to share your research with an even wider cross section of the IT security community around the world than usual, without having to take time out of your work schedule (or budget) to travel.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.