Do We Really Need a Security Industry?
Last week Bruce Schneier published a commentary about the security industry:
Do We Really Need a Security Industry?
This story generated a fair amount of discussion. The commentary is best summed up by this quote
Aftermarket security is actually a very inefficient way to spend our security dollars ...
The conclusion Bruce comes to is to outsource your security needs to a different company, the service being no different than outsourcing your telephone needs. While it makes sense that not every company will need to employ security experts, there is no reason that the operating system shouldn't be doing more. A technology such as SELinux can play a huge role preventing malware and intruders from gaining unwanted access.
The current aftermarket security industry relies on the idea that the operating system is insecure, and cannot be fixed. It is unlikely that a technology such as SELinux will ever result in a completely secure solution out of the box, but with the right know how it can help prevent many insecurities. As long as people write the code that runs our computers, there will be security bugs. We will never fix every possible bug, but we can try to mitigate the potential damage. Right now if a piece of malware infects a computer, it can do nearly anything it wants. In the near future SELinux should be able to prevent malware from doing anything useful.
