Security: Product vs People and Process

One of the hardest concepts to emphasize concerning Information Security is that people and processes are more critical to your overall security posture than products are.   That is not to say that products are unimportant. Certainly, any deficiency in one of the three P’s will necessitate compensation from the other two P’s.  But of all three, PRODUCT is the easiest to overcome with the right people (or properly trained people) and appropriate processes.

In a recent eWeek Research Central blog entry, it was noted a CIO Insight 2006 survey shows that not everyone sees inherent security as one of the virtues of Open Source software as compared to Windows-based software.

This doesn’t mean that they think that Open Source software is insecure, or that Windows-based software is automatically secure, but I think that there is a greater understanding of the following two things:

  1. Software may provide better or worse support for security out of the box, but most software allows sufficient configuration options that a user or administrator will be the final determiner of how secure the app is.
  2. Many of today’s applications are cross-platform, and tend to have a similar level of security across all of the platforms upon which they reside.  As an example, when Apple updates QuickTime or iTunes, they are very often updating it for BOTH Windows and the Mac, regardless of what your viewpoint may be on the relative strengths of either platform from a security perspective.

Thus, it is more reasonable to consider the relative security of applications to other, similar applications — regardless of platform, and it is very important to consider the strengths of the people who will be managing or using the applications in question, because they are the ultimate determining factor of the security of the application.  There are far more security issues related to configuration errors than to outright code vulnerabilities, even though code vulnerabilities still get lots of press (primarily because they are often harder to mitigate and are guaranteed to affect a larger number of users if exploited).


Leave a Reply

Your email address will not be published. Required fields are marked *