Hi all, Bryan here – I’m back home in snowy Seattle after a fun-filled week in San Francisco for RSA Conference 2011. One of my favorite games to play at RSA each year is to identify the hot buzzword or phrase of the year: the one meme that keeps popping up in every session and every vendor’s booth. The last few years have, of course, belonged to The Cloud, and this year looked like it was shaping up to be the year of the Advanced Persistent Threat. But then a dark horse came out of nowhere and snatched the buzzword crown away. The award for most overused expression for 2011 goes to The Bear – as in: You Don’t Have to Outrun the Bear.
I’m sure everyone reading this has heard the old joke about outrunning bears before, so I won’t tell it again here. Personally, I’ve never been a big fan of this philosophy. Basically, it suggests that you don’t have to aim for perfect security; you just have to be a little bit harder to attack than the other people around you. Now I know that security is not an absolute, that there’s no such thing as perfect security. But is “let them do it to the other guy” really the best we can strive for as an industry? It reminds me of the Far Side cartoon where (ironically) a bear is caught in a hunter’s crosshairs, and he’s grinning and pointing at his friend standing next to him. It’s especially worrying to me that this message seems to resonate so well with so many people.
Since we’re already talking about clichéd expressions, take a look at the Tragedy of the Commons, if you want to know where this line of thought will take us. Or better still, adopt a security philosophy that benefits the community, maybe “a rising tide lifts all ships.” This is the attitude that the most security-mature organizations take. Adobe benefits from platform defenses created by Microsoft and Apple. Microsoft and Apple likewise benefit from application defenses we build into our products, like the Adobe Reader sandbox. Even if you don’t work for an OS vendor, you can always contribute time to an open-source security project like the OWASP projects or simply share your knowledge by writing about what you’ve learned and helping others to avoid the same mistakes.
Ok, I’m getting off my soapbox now. I promise that next time I’ll be back with a less philosophical post that has some code snippets in it. But in the meantime, remember that it’s not enough just to run faster than your friend. If he’s falling behind, grab his arm, pull him to safety, and maybe both of you can live to tell about how you outran the bear.
Security is an industry concern and not one that is limited to a select group of vendors or products. No organization is immune to vulnerabilities and exploits. It is critical that vendors and the security community at large partner and work together to try and stay ahead of the game and combat those with malicious intent.