Security luminary Eugene Spafford gave a rather bleak assessment of the state of the industry in his FIRST Conference keynote this morning.
His focus of gloom: Patches.
Specifically, the addiction companies and organizations have to patching, at the expense of building more ironclad systems.
"If we keep patching, the system will collapse under the weight of all those patches," he declared.
Spafford, professor of computer science at Purdue University, outlined a number of problems with security today. Among them:
- No real consequences for malware writers, most of whom never get caught
- No real consequences for poor system design
- A lack of metrics
- A lack of understanding what security truly is
- A tendency to accept training as education
- Looking at Internet security as a military problem rather than a law enforcement issue
- Building incident response procedures that enable bad practices, bad designs and bad attitudes
"Rather than design secure systems by default, we apply endless layers of patching," he said. "Government worries about patching their own systems, not about building new, more secure systems."
It's a narrow vision the private sector is also guilty of, he said.
"Industries are interested in pushing new products to market, not about enabling security (around said products)," he added. "And we all go along with it."
The end result is that we are doomed to keep repeating the same mistakes continuously.
Or, as Spafford put it, CERTS will continue to be more like janitors than the Internet's firefighters, "mopping up the same mess each week."