« WASC Threat Classification Project - Call for Participants | Main | Security Development Lifecycle (SDL) Banned Function Calls »

Compliance As Kick-Starter

"Regulation is a boon to security. Without the government and other private organizations leading security around by its nose, we would be eternally trapped in the "just strap another pizza box into the rack" solutions offered by clueless vendors. There were zillions of them at RSA this year.

One problem is that many security vendors seem to be in it for the money. For example, antivirus vendors love to tie you to the gerbil wheel of virus definition updates, even though they know there are superior antivirus approaches to the ones they currently sell which would not require constant updates (or the associated recurring revenue stream).

And just about all vendors are guilty of the silver bullet myth, that is, "just buy our silvery bullet-like stuff and your security problems will miraculously disappear." The worst silver bullet offenders are the application firewall people. Talk about approaching the right problem (software security) in the wrong way (network traffic inspection)!

Fortunately there are regulations to rescue us from our own nonsense. Probably the best regulatory nose-leading has been carried out by Sarbanes-Oxley. In the first runner-up category, the credit card consortium's Payment Card Industry (PCI) standards have likewise generated great forward progress in security. "

Article Link: http://www.darkreading.com/document.asp?doc_id=119163


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!