So, Mary Ann Davidson has a blog. I haven't ever met Mary Ann in person, but I have seen her speak a few times - she's an excellent speaker, and does an amazing job of getting her message out.
But I have yet to hear her say much that I really agree with.
(Aside: I was scheduled to speak on a panel with her at the Security Standard in Boston, but with leaving nCircle, TK's going to take that spot. I was quite looking forward to that discussion.)
Anyways, her blog has the following nugget on it:
"Think about it, why do we need all these "protection" products like anti-spam, anti-virus, specialty firewalls and so on? Yes, defense-in-depth is sound defensive security practice, but in general, if enterprise software were more robust, self-defending and didn't have so many dumb (technical term) coding errors (DCEs), we wouldn't need so many products that are supposed to protect against attacks engendered by DCEs."
I completely agree with her on this point - and if cars didn't have so many dumb mechanical errors (DMEs), we wouldn't need auto-mechanics either. Except that people crash cars. Okay, well, if we didn't have terrorists, we wouldn't need airport screenings either. Except that some redneck would probably forget to take his gun out of his pants pocket.
It's the same thing in the security community - even the most self-defending computer code can be defeated by a user with a sufficient defecit of clue. And, really, that's what most "bandaid solutions" (as she calls them) are for. They protect enterprises from their user's lack of clue. ("Oh, look... an email that says "I love you"... let me open that attachement!!!")
While the security world would be better off if all of the vulnerabilities (DCEs) went away today, I'm confident that I'd still have a job if that happened. Because it's going to take a long, long time to teach users not to open attachments in their email, or download games from untrustworthy sites.