The panelists, who included security vendors and analysts, all lamented the fact that many customers still seem more interested in usability and compatibility than security. Although, given that vendors over the last decade have consistently hawked those two features to the exclusion of security, the attitude in corporate America is hardly surprising.
"Microsoft is really good at producing really cool stuff. Security isnt cool," said Carl Ellison, security architect at Microsoft Corp., based in Redmond, Wash. "I want to produce good stuff and customers want dancing pigs."
Part of the blame for this apathy must be laid at the feet of corporate security specialists who for years have consciously kept users and executives in the dark when it comes to security, several of the panelists said.
"If you were to ask me 10 years ago when I was in corporate security if I should engage my end users in security, Id say No," said Ron Moritz, chief security strategist at Computer Associates International Inc., based in Islandia, N.Y.
The topic of how information is enough also came up later in the discussion regarding the question of whether open-source software is inherently more secure that software built on proprietary code. Microsofts Ellison said that publishing source code simply gives attackers a head start on finding vulnerabilities.
"There are security risks with open source. By publishing the source code, it can be examined by the attackers," Ellison said. "I have a Red Hat system I run on the side at home and it receives patches more often than my Microsoft systems do."
Others said the real issue is who is auditing the code before its released, or whether an audit is being done at all.
"Software thats examined is more secure. Its not the open source is more secure than closed source," said Bruce Schneier, CTO of Counterpane Internet Security Inc., in Cupertino, Calif. "Closed and nobody looks at it and open and nobody looks at it [and either] isnt secure. Open source doesnt make it secure, it facilitates it."
Discuss This in the eWEEK Forum