Chapter 1. The Security Industry Is Broken
When I was in college, I worked on the Alice project, run by Randy Pausch of “Last Lecture” fame. Alice was a system for virtual reality and 3D graphics—working on it got me the few cool points I had in college. However, the primary goal of Randy’s project had nothing to do with virtual reality or being cool. It was all about making computer programming easy. Randy wanted high school kids to be able to write their own computer games without having to be computer programmers. The goal was to get them programming without noticing they were doing it.
After I got over the cool factor of fighting droids with a real light saber in a virtual reality environment (you held a flashlight in your hand, but it looked like a light saber in virtual reality), I found I wasn’t actually all that passionate about computer graphics. But Randy had definitely gotten me excited about making things easy for average people.
My first introduction to Randy came when I took his Usability Engineering class, which was about making software products that are easy to use. I was struggling with whether I wanted to go into the computer field at all. I knew I was good at it, but the previous coursework I’d taken had almost scared me off because it kept me dozing off…classes like Fortran and Discrete Math.
But on the first day of class, Randy showed us a VCR and talked about how difficult it was to do simple things, like set the time. He talked about how the buttons were all clumped together in ways that made it difficult to distinguish what was what. He got everyone sharing their frustrations with their VCRs, and with plenty of other common things, such as light switches that don’t turn off the light you think they should, or doors that you think you should push but actually require you to pull.
Then Randy put on goggles, pulled out a sledgehammer, and beat the crap out of the VCR. Then he proceeded to destroy other donated devices with shoddy user interfaces.
That inspired me. It made me realize that the entire consumer electronics industry and the computer software industry were fundamentally broken, because they weren’t really providing people with good experiences, just passable ones. It seemed that everywhere I looked, people making products were assuming they knew their users, without spending enough time actually talking to them. Nearly 15 years later, very little has changed; the average user is still an afterthought. I’ve met many product managers who are supposed to figure out what to build, and only a few of them spent any significant time with their users. Most work on projects that in the grand scheme of things should be less important than embracing the customer, like helping support sales efforts or building marketing material.
Once I got out of college, I switched immediately into the security field, where I’ve been for about 10 years now. This field was easy to get passionate about because bad security was clearly having a negative impact on the world. Almost everyone I knew who ran Windows had some horror story about a virus deleting their files, crashing their machines, or otherwise doing something to sap productivity. In college, I’d already seen the impact of software flaws on machines connected to the Internet, having seen hackers delete content and render machines unusable, all because of some incredibly subtle problem in code written by a third party.
Very quickly, I got up to speed on the field, then started doing my best to have an impact. Along with Gary McGraw, I wrote my first book on how to keep security bugs out of software, Building Secure Software (Addison-Wesley; we are finally looking at doing a long-overdue revision), and a few others—I’m particularly proud of the Secure Programming Cookbook (O’Reilly; http://oreilly.com/catalog/9780596003944/). Then I started a company called Secure Software, which built tools to automatically find security problems in programs by looking at the code that developers write (that company was acquired by Fortify, and I am now on the Fortify advisory board). I then took a job as Vice President, Chief Security Architect at McAfee, which would like you to know it’s the world’s largest dedicated IT Security company (Symantec is several times larger, but it does a few things that aren’t security, allowing McAfee to make the claim with a straight face). After a couple of years of doing a lot of merger and acquisitions work, plus managing the engineering of most of the core technologies that are shared across McAfee’s products, such as the antivirus (AV) engine, I left to do another startup, and was back at McAfee within a year, this time as CTO of the Software-as-a-Service business unit.
Ten years later, the security world doesn’t seem too much better for my efforts. In fact, in many ways, things have gotten worse. Sure, in part this is because lots more people are on the Internet, and computer security is an incredibly difficult thing to get right.
Still, everywhere I turn in the security world, I see, as my friend Mark Curphey likes to say, “security bullshit.” This industry is not focused on providing users a good experience with its products. But even worse, it is not really focused on providing the more secure experience that is implicitly promised.
For instance, look at the bedrock of the computer security industry, the piece that more or less everybody feels they need to have: AV. Most normal people think that AV solutions don’t work very well. And, for the most part, that’s right (even though AV vendors are continually trying to improve their products). These solutions are often 15 years old, and address the problems of that time, not this one. Most of the major players could have been doing a much better job for a long time, but inertia has kept everyone running crapware that takes up too much of your system’s resources to stop probably less than half of all potential infections.
Like Randy Pausch smashing a VCR, I’d like to help people realize what is wrong with the industry, and I am hoping to inspire at least a couple of people to put customers first in their business pursuits in the security world.
In this book, I’m going to spend a lot of time sharing my perspective on the industry. As much as I can, I’ll try not only to identify the glaring problems that I see, but also to show what the industry can do differently.
For the most part, my criticisms will apply to most companies, but not all. For instance, I have been very happy with McAfee’s technological progress over the past few years. In general, it has listened to me and to a lot of other smart people, including its customers. I’ll try not to promote McAfee too much, but in many cases, you can bet that the problems I discuss have been considered there, and we’ve either addressed them or we plan to address them.
I don’t believe that there is a “silver bullet” for security, but I do think that end users should be getting a lot more for their money, including a better experience (like AV that doesn’t slow down their computers) and better security (like AV that is more than one step above “worthless”). A lot of little things are just fundamentally wrong, and the industry as a whole is broken.