For those of you who are not familiar with Gene Spafford from Purdue's CERIAS (the Center for Education and Research in Information Assurance and Security) or his blog, I would encourage you to check them both out. I've had the great pleasure of working with Spaf and one of his latest posts is absolutely on target, albeit from an altruistic standpoint.
In "Solving Some of the Wrong Problems" Spaf points out that most of our efforts in information security are pointed only at treating the symptoms created by the very nature of the unsecure products we or our companies use. Simply put, we know how to create more secure software, databases, networks and systems in general - however our vendors or we don't do it.
"We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it.
Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised..."
"I’m not trying to claim there aren’t worthwhile topics for open research — there are. I’m simply disheartened that we are not using so much of what we already know how to do, and continue to strive for patches and add-ons to make up for it...
Let’s start using what we know instead of continuing to patch the broken, unsecure, and dangerous infrastructure that we currently have. Will it be easy? No, but neither is quitting smoking! But the results are ultimately going to provide us some real benefit, if we can exert the requisite willpower."
It's a great read and don't blame me if you get sucked into reading for quite a while with some of his other posts. Speaking of which - check out his view on passwords. These both put my day of HIPAA policy review in perspective!