
Security will never be perfect

Alex Kayle
By Alex Kayle
Security Summit 2009, 27 May 2009

There is no silver bullet to perfect security and a determined attacker will always find a way into an IT system.

This is according to Window Snyder, CEO and founder of In Every Hand, speaking at the ITWeb Security Summit, in Midrand, this week.

She noted that a company will only become aware of a problem when it's too late.

“We want security to be perfect, but it will never be, even if we do everything that best practices tell us to and even if we've done all the security research and developed a security life cycle over all the processes. A determined attacker will find an opportunity, exploit a vulnerability and there's very little we can do about that.”

How much security is too much? Snyder, formerly chief of security at Mozilla and senior security strategist at Microsoft, said organisations need to evaluate the real value derived from security, versus the cost and user frustration in deploying the security systems.

The security industry has become better at developing anti-virus software; however, Snyder pointed out that malware and viruses are evolving so rapidly that security software only protects against older threats at the baseline.

Snyder said many companies go overboard in securing their systems and infrastructure, but even tough security mechanisms can be easily defeated.

“The security industry needs to be more methodical. In the past, we had a much more intuitive approach to detecting vulnerabilities. Through threat modelling, we can identify ways of procedurally defining where the areas of highest risk are.”

Snyder is co-author of Threat Modeling, a manual for security architecture analysis in software applications.