ROFL Seems obvious doesn't it? However, if it was actually obvious to a majority of security people there would not be a commercial security defense product market.
RSA had 50K attendees, so clearly there is still a commercial market :/ So yes this is stating the obvious to this list, but it is not stating the obvious to the majority. I guess my real intent was to rebute Michal's statement that the blame should fall, partially at least, on the vendors. Vendors build what they can sell. Yes they try to keep selling what they offer even in face of evidence that it does not provide much value. But they will fail if they don't ultimately have product that people buy. Clearly there are not enough engineers making the good case that these products are not worth buying. Michal and I both work in interesting environments that clearly highlight the contrast between problems and solutions. I ultimately agree with Michal, I just think the practitioners are to blame, not the vendors. On Fri, Mar 25, 2011 at 9:34 AM, andrew Wilson <[email protected]> wrote: > Are you suggesting that you can't solve crappy software with more > crappy software in front of it? Weird... > > On Wed, Mar 23, 2011 at 1:31 PM, Dominique Brezinski > <[email protected]> wrote: >> On Wed, Mar 23, 2011 at 10:17 AM, Michal Zalewski <[email protected]> >> wrote: >>> The real tragedy of infosec is that we simply don't have the tools to >>> secure large and complex organizations particularly well - not against >>> governments, but against bored kids with an agenda. Security vendors >>> are partly to blame for perpetuating a myth that a secure organization >>> can be built on top of the commercial AV or IDS tools that said >>> vendors happen offer. It does not come as a surprise that this model >>> does not work well, and "the world of cyber" has very little to do >>> with it. >> >> <tangent> >> +1 to that. Let's see, commercial security products are largely >> parsers of untrusted data. In fact they often know how to parse many >> things the targets behind them, or that they run on, don't. They also >> tend to run with privilege or at critical points in the >> infrastructure. What does that spell? ATTACK SURFACE. Yah! >> >> How come only 1% of security people get that? >> </tangent> >> _______________________________________________ >> Dailydave mailing list >> [email protected] >> https://lists.immunityinc.com/mailman/listinfo/dailydave >> > > > > -- > Who then shall I fear? > _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
