Schneier: Do We Really Need a Security Industry?

Finally - somebody else said it. I've alluded to it here, and here. There are so many products out there to make up for things we should have done earlier. Which is why I'm so sad that RSnake is coming around to the idea of WAF's.

We make and sell these products to bolt on security when it's too late, rather than making things secure from the beginning. And not only that, we never really engineer the type of information into the design, either. Does your application really need for admins to be able to read all of the home addresses of your users, when you really just use a third party to do the shipping? Then you don't need to store it. The less sensitive information you have in the first place, the lower the risk of getting hacked. That's a design decision that needs to happen really early. Rather than trying to figure out how to protect credit card #'s, have we thought about whether we need them in the first place?

So back to the point - Schneier seemed to see at the conference a lot of what I see in trade rags now - product after product after product that doesn't really protect you, it discovers what's already broken - and something that should've been engineered properly in the first place.

Better ingredients == better pizza.
Better engineering == more secure code (without having to bolt on security later).