As much as I respect Bruce Schneier, and regard his comments as expert in the field, this recent batch seems less than insightful. Its not that they are fantastic or pie in the sky — that I love about these ideas. Utopia is something worth striving toward especially in the technological sense. It is that these ideas do not acknowledge the nature of the IT security industry. They simply speak from the entrance of some dreamy state. The fact that someone of Bruce Schneier’s caliber made these statements at all, seems akin to something like Stephen Hawking saying, “Wouldn’t it be hot if we had warp drive, dawg!?”

Admittedly, I wasn’t fortunate enough to go to Infosec. So, you can suppose I am no expert. Yet, something tells me that that puts me in the majority.

The primary reason the IT security industry exists is because IT products and services aren’t naturally secure.

However, in reality, the primary reason the IT security industry exists is the same reason all security industry exists. Most industries do not focus on all potential security aspects. Guess what? Most industries do not focus on all potential information technology aspects either, that is why there is an information technology industry. As you can see, none of this is a new paradigm for business, nor is it necessarily a situation that is crying for a technologists. Its a business topic and I welcome any experts to chime in — I’m not an expert in business at all. One thing is certain though, there is a perfectly genuine business need for subsidiary industries, that while they do so indirectly, keep their parent industries honest, and in check — you can call that, my expert opinion.

For example, the automobile tire manufacturing industry is a separate entity from automobile manufacturing itself. Tire making has its own set of dependencies such as with rubber production. Auto makers do not consider it affordable to market and sell automobile components as well as automobiles. And, with this case, its only affordable for auto makers to produce cars on such large-scales because the mark-up imposed on the mass production of such expensive components is equally large. Furthermore, this markup is only acceptable to consumers because of the service auto makers provide. Buying the parts and putting the car together yourself, as an individual, is not likely economical (and we’ll see how that paradigm continues as we scale upward). This same sort of industrial dependence is true in software “manufacturing”.

It is all ultimately no different from how rubber is needed, thereby cultivated and sold, only to be used in the tire manufacturing, and again sold, as tires to auto makers.

If the IT products we purchased were secure out of the box, we wouldn’t have to spend billions every year making them secure.

If automobile manufacturers took time to produce their own components, put their name on those components, and thereafter supported the whole as well its pieces, there would be no automobile manufacturing industry before too long.

As with the individual, buying all the parts (parts of parts in this case!), and putting them together isn’t economical for auto makers. Even in a perfect world or utopia, where car makers would somehow survive all the legal liabilities that come with this scale of production. Because, at some point everyone has a car that lasts for a very long time and no one needs auto makers for a very long time.

Theres no long term sustainability for a business using such long lasting materials, and with a market-diminishing nature to the product design. And, the software business works the same way. The only other point made in the above statement, and I’d call it into question as well, is that there should be savings related to handling all security aspects in-house. I find that thats entirely untrue as a general statement.

Companies must still spend those same billions on security — those same problems still exist. Its all a matter of who’s making that initial investment, and then, who’s passing the cost of that investment, onto the consumer. The fact remains as does the job, that it doesn’t ever somehow get smaller, cheaper, or easier the more you centralize. When you centralize without some revolutionary streamlining innovation, what results instead, is a monolithic entity that is larger, more costly, and more complex.

I wonder how someone would think that without asking themselves: How would companies that are not tooled for producing security assets, produce security assets cheaper than those that are so tooled? Or: How would tooling said companies for producing more secure software, make them more cost effective entities? They would have and need more tools, and expertise; have more concerns, responsibilities, and liabilities; more operating to do; and overall simply, more operating costs.

Drawing a parallel, Microsoft does not put the same emphasis on security as they do usage innovation — thats not a joke, stop laughing. Microsoft concerns itself with innovating software in more general aspects which encompass, to a degree, aspects of software security. Microsoft does this for the same reason automobile manufacturers make the cars but not the tires — there is point at which some part of the process is not cost effective inside a given model, and it becomes cost effective to instead give rise to subsidiary industries which re-enforce that model as a means of strategy security (as well as to diversify the market with a multitude of competing entities).

It would cost, in Microsoft’s case, a great deal more to produce the kind of security assets (or component products) that would address known issues within their existing products. And when you talk about enhancing those products, you’re just invoking the need for the creation of the aforementioned security assets. Just as automobile manufacturers specialize in putting the pieces together not making them from scratch — Microsoft maximizes the value found in using affordable materials (or less security-concerned software). And, it is only more affordable because some other entity, MacAfee, for example, is maximizing the value of the security-side of that production — the tire-side in the auto makers case. In both cases the subsidiary industry is taking up that cost-slack, and turning lemons into lemonade — that is a kind of innovation, and it should not be stifled.

Aftermarket security is actually a very inefficient way to spend our security dollars; it may compensate for insecure IT products, but doesn’t help improve their security.

This much may or may not be true. If there are examples that show this is ultimately the case, I don’t know of any of them, admittedly, and would like to know of them. For now, I can’t say exactly which way would be more economical, or more efficient.

Until there is a fair comparison, theres no reason to think the people who designed and produced a set of features should understand all the aspects of how those features might be misused days, months or even years, later, and by any variation of the expected use cases.

Intuition even suggests, given the rigidity in which features tend to be defined and produced for software, that these same people who created the software, might actually be less likely to think outside the particular box that they have spent so much time defining. It would seem to me only more likely that some one capable of free-wheeling attempts at misuse, would have a better chance finding those entirely unexpected vulnerabilities that can produce so much havoc — specifically because they were so unexpected.

Fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later.

Security is an exclusive, and progressive concern, you cannot fold it into any activity and achieve ideal results. Security concerns aren’t something that go away once you have dispensed with the value on some one-time, or many-timed, price tag either. In all actuality, the $100,000 you spend securing your product, today, could very well lead to $200,000 in new security vulnerabilities for you, and every one of your competitors, or subsidiaries, tomorrow (or sooner depending). So, thats the next point: your level of security is in constant flux, no matter who you are, or what you do. You could hire a team of ten security guards only to later realize one of them had been stealing from the company!

Keep this in mind too; there are people who guard buildings where software is developed on large campuses like Microsoft’s, and a lot of the time, these security people work for an independent firm. I’d like to suggest that the reason for this is, while there is cause for those in-house to be vigilant (and its expected of them), its not their duty. And so, there may be reason to hire people to be vigilant (which is outside otherwise expected development costs), because they are slightly better trained in this capacity.

The lesson experience lends those people though, is that still nothing will dismiss times when you “need to break down and dial 911″, or call in “the security experts”, who can leverage a life-time of experience, gathered dealing with a much larger, more diverse body of concerns — or aptly put those people who are knee-deep in the security industry.

Finally, assets of security built for software help to protect software activities, and ultimately the end-user. Tires built for cars protect wheels’ activities, and ultimately the end-user. Both security, and tires, insulate and protect against an outer layer where active use can result in potentially damaging circumstances, affecting otherwise normal operations. Without all their constituent components, both the car and the software, eventually, or in some cases, immediately, fail to meet end-user needs. And, without the effort of those individual constituencies striving for excellence within their respective designs and fields, the pace at which opportunities are created to allow for innovation, will decrease. At the same time, the counterculture which works to discover methods to disrupt secure entities (that culture which discovers, makes, and syndicates exploits for vulnerabilities) will see no such decrease in production, and will remain a well oiled, distributed set of socially disjoint cells, each with their independent abilities and skills, social networks, communication methods, and potential exploit schemes.