Infosec Frustration

I was reading a trade mag (I know - you should all slap me just for that) and just got really really discouraged at the picture of information security right now. I understand it's a trade mag, and trade mags are "free" so they have to be paid for somehow. And the way they're paid for is advertising. And I know that there are different forms of advertising. But this was still bad. So please understand the bias of this post is just from reading one rotten mag.

It seems that the solution to information security woes in all sizes of enterprises is to buy more products. We need to test the ability of our VPN's and IPS's to stand up to massive amounts of traffic while properly dealing with rotten traffic. We need more management systems to manage our antivirus definitions. We need threat modeling software to model our threats. We need BCP software to help us develop our BCP. And we need training and additional resources to manage those things.

I understand that much of this is useful. When it comes to buying something off the shelf or baking your own, often it makes more sense to buy something off the shelf and get the support that comes with it. And many of these products are completely legitimate.

My heartburn with the picture today is that we seem to be relying on products instead of professionals. What hits most closely to home for me is that we're quite prepared to pay mega-bucks for an application firewall, including the cost of terminating SSL early or having umpteen gillion deployments of the app firewalls so we can terminate SSL late; but we're not that interested in educating our developers to just write better code. For users, we're prepared to install personal firewalls, antivirus, anti-spyware, anti-popup, anti-phishing, but we're not prepared to ignore emails with words like "enlarge" or "great rates" in the subject, or practice safe habits like never ever clicking a link in an email, and we're certainly not willing to give up pr0n, gambling, or war3z.

I'm beginning to come around to the rest of the industry's point of view that user education is a lost cause. A common phrase in our profession is that "if you make a product more idiot-proof, they'll just make a better idiot." On the other hand, things like the PDF UXSS scare are a lot less scary if our users use the internet with a bit of prudence. And in large enterprises we can protect our internal users and (more importantly) our customers by taking some time and writing better software.

Please believe me - I know there are other non-advertising funded infosec mags out there. And those mags seem to have the thinkers. I just had to vent that information security "professionals" are quickly falling into the same trap that developers fell into 8-10 years ago - listen to the vendor and buy this one product, all that ails you will be cured.