Video: What security vendors can do to earn some credibility
Much like physicians, security vendors[1] prescribe remedies for their customers' ailments.
Unlike physicians, no Hippocratic oath[2] exists for security vendors. What if our industry operated under a basic tenet like "First, do no harm?" Instead, security vendors continue to add new layers of complexity, and therefore new attack surfaces, with the intention of solving a security problem on the stack below.
Their rationale? That it is better than doing nothing or better than what the customer had in place the day before.
Read also: Cybersecurity: How to devise a winning strategy[3]
This argument is short-sighted and indicates a lack of comprehension of the risk they are imparting to their customers. Is it intentional or mere ignorance on the part of the vendors? And what can enterprises do to protect themselves? How do we get to a new cybersecurity industry ethos, focused on viable solutions and committed to doing no harm?
The cure is worse than the disease
Apple, Google, and Microsoft have spent millions of dollars, on both technology and developers, to lock down the OS and build resiliency subsystems to make exploitation highly expensive for the attacker in terms of time and labor -- for example, jailbreaking[4] or sandbox evasion.
And yet, security vendors (including many of the biggest brands in endpoint, network security and container security) introduce new vulnerabilities and additional risk by breaking the default security boundaries established in all the major operating systems.
Many endpoint and network security vendors introduce new attack surfaces by adding complexity. Instead of looking at the root cause of an issue, they continue to