Security's Everyman

Security's Everyman

Thursday, August 16, 2007

What's wrong with this statement?

I saw this article on Network World today regarding VOIP (in)security. This statement caught my eye. See if you have the same thought that I did.

Much of the notoriety of VoIP vulnerabilities come because the technology is relatively new and its code wasn’t necessarily written with security in mind — a problem that plagues many new technologies.
What do you see wrong with this statement? Shouldn't newer technologies be written with security in mind? I can see where ethernet and IP and such didn't take security into consideration when they were created. Security wasn't hardly even on the radar then. Now it's everywhere! There is no excuse for any technology that has come about in the last 10 years to not have security as a primary design consideration. I know that even 10 years ago security wasn't big but anyone who had any foresight would have seen what was coming.

I haven't ranted in a while about how software companies have to put more work into shipping secure products. This mindset of sacrificing security for "speed to market" has got to go.

1 comment:

David S. said...

I agree, but aren't new technologies still developed by plying with an idea until you have something that works, then figuring out how to make money out of it? (To really oversimplify and overgeneralize.) Or some things are invented not for moneymaking, and then become popular with explosive growth, at which time people realize they can make money out of it, but security wasn't built in at first because it was a "toy."

I don't know the history of VoIP well enough to say if this is the case, because I don't really work with it. But I don't think everything new in the near future is automatically going to be built with strong security in mind when adding security (can) reduce usability (which companies want to maximize for new technologies so it becomes popular) and increase costs (since you have to also think about security while designing, which is just more to do).

It's not a good thing, but until everyone either works in security or sees the benefit of it (or even thinks about it), they aren't going to get it until there's a problem that forces it, driven by market demand. Sad though, as I love security and see it missing in so many places it needs to be!

But what do I know? I'm the one-man IT department at a church who has never set up or used a VoIP system :-)

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.