After security luminary Eugene Spafford gave a keynote at the FIRST conference in Boston this morning, some noted that his overall outlook was dark and depressing.
Indeed, he painted a bleak picture of security. Among other things, he said companies and organizations are addicted to patching at the expense of building more ironclad systems, and that "If we keep patching, the system will collapse under the weight of all those patches."
One friend on Twitter noted that the tone was too negative, based on the tweets she was reading. Her stated preference is to hear keynotes that emphasize how to fix things and make them better.
That's a fair point. Sometimes we do go for the negative at the expense of finding real solutions or, at least, real steps in the right direction. Misery loves company, and when security practitioners are frustrated about things that never change, they vent. Of course, it's that way in any industry.
But in Spafford's defense, he pointed to things that are absolutely true.
In the present, we need patching because we can't simply ditch the technology we've come to depend on. The better systems he spoke of have to be built first. For now, patching is better than leaving holes.
Ultimately, he's right. We can't rely on patching forever.
He's also right that we need more accountability and consequences for those who write bad code and rush products to market without considering the security implications first.
And yes, we need to stop treating incident responders like janitors, making them clean the same messes along the way.
I tend to be an optimist. I see a lot of good work being done in the industry, including the work being done by my colleagues at Akamai. I see industry friends making huge advances.
We're certainly not where we need to be, but we're slowly heading in the right direction.
But before we can reach the promised land, we need a sober lesson regarding the things that are still wrong.
To that end, Spafford did us a great service this morning.