Parting thoughts 3: taking security seriously

Posted by   Martijn Grooten on   Dec 19, 2019

At the end of this month, I will step down as Editor of Virus Bulletin. Before I do so, I will share some 'parting thoughts' in five blog posts, based on my experience working in the IT security industry.

'Cyber terror threat!' was the headline of a press release a security vendor's marketing team sent to journalists this week, informing them about a WhatsApp vulnerability for which a patch had already been rolled out. And though this was a rather extreme example, security vendors tend to be rather over the top when it comes to their warnings about security issues.

I do wish nuance would sell better in security, and I applaud those who are trying to sell in a more nuanced way, but I acknowledge I am not a marketing person and that maybe I shouldn't tell marketing people how to do their job.

But I am someone who cares about optics. And the optics when it comes to security products' own security aren't always that great.

Too often security vendors are caught using poor practices when it comes to security and privacy. While one would expect a holier-than-thou approach when it comes to their own products' security, they tend to be followers rather than leaders when it comes to many best practices, and sometimes slow followers at that.

I have spent a great deal of time in the past five years talking to vendors about this issue and have given a few talks on the subject at semi-closed vendor events. And I know the reason for this lack of proactivity in terms of security is neither unwillingness nor a lack of understanding of the best practices. It is simply that making the required changes would be expensive, and there is often no real customer demand for it.

And, in fairness, customers aren't entirely wrong: though weaknesses in security products are sometimes exploited in attacks, it is still relatively rare and a lot of issues are mostly theoretical. But then, this also holds true for quite a few of the security issues in other products. And this rarely stops security vendors from making a fuss about it on their blogs.

More importantly, we know that good security has long-term benefits that are more than theoretical. So let us hold ourselves to the same high standards we set for others and turn security vendors into leaders rather than followers in this space.




Latest posts:

VB2019 paper: Spoofing in the reeds with Rietspoof

In a VB2019 paper Avast researchers Jan Sirmer, Luigino Camastra and Adolf Středa revealed full details of the Rietspoof malware. Today we publish their paper and the recording of the presentation given by Jan and Luigino in London.

New paper: Behind the scenes of GandCrab's operation

The GandCrab ransomware regularly updated itself to newer versions to stay ahead of decryptors released by security researchers, and regularly included taunts, jokes and references to security organizations in its code. In a new paper, the AhnLab…

VB2019 paper: King of the hill: nation-state counterintelligence for victim deconfliction

At VB2019 Juan Andres Guerrero-Saade looked at nation-state actors using threat intelligence for victim deconfliction. Today we publish both his paper and the recording of his presentation.

The VB2020 call for papers - how it works

With the VB2020 Call for Papers now open, we explain how the selection procedure works, which may help you during your abstract submission.

VB2019 presentation: Targeted attacks through ISPs

In 2019 we saw a rise in the number of targeted malware infections spread via ISPs and service providers. In a last-minute paper presented at VB2019 in London, Kaspersky researcher Denis Legezo discussed the details of a number of such cases. Today…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.