Parting thoughts 3: taking security seriously

Posted by   Martijn Grooten on   Dec 19, 2019

At the end of this month, I will step down as Editor of Virus Bulletin. Before I do so, I will share some 'parting thoughts' in five blog posts, based on my experience working in the IT security industry.

'Cyber terror threat!' was the headline of a press release a security vendor's marketing team sent to journalists this week, informing them about a WhatsApp vulnerability for which a patch had already been rolled out. And though this was a rather extreme example, security vendors tend to be rather over the top when it comes to their warnings about security issues.

I do wish nuance would sell better in security, and I applaud those who are trying to sell in a more nuanced way, but I acknowledge I am not a marketing person and that maybe I shouldn't tell marketing people how to do their job.

But I am someone who cares about optics. And the optics when it comes to security products' own security aren't always that great.

Too often security vendors are caught using poor practices when it comes to security and privacy. While one would expect a holier-than-thou approach when it comes to their own products' security, they tend to be followers rather than leaders when it comes to many best practices, and sometimes slow followers at that.

I have spent a great deal of time in the past five years talking to vendors about this issue and have given a few talks on the subject at semi-closed vendor events. And I know the reason for this lack of proactivity in terms of security is neither unwillingness nor a lack of understanding of the best practices. It is simply that making the required changes would be expensive, and there is often no real customer demand for it.

And, in fairness, customers aren't entirely wrong: though weaknesses in security products are sometimes exploited in attacks, it is still relatively rare and a lot of issues are mostly theoretical. But then, this also holds true for quite a few of the security issues in other products. And this rarely stops security vendors from making a fuss about it on their blogs.

More importantly, we know that good security has long-term benefits that are more than theoretical. So let us hold ourselves to the same high standards we set for others and turn security vendors into leaders rather than followers in this space.




Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.