Article by Ryan Ko
In contrast to 10 years ago, security news and flaw reports are becoming common in the mainstream media.
It would not be long before we see a permanent section in technology news reporting security flaws from so-called security researchers. But is this ‘real research’ and is this information helping the situation in the long run?
Fundamentally, research involves a scientific and methodical approach to improving the state of the art. This involves:
(1) surveying the current strengths, limitations, and schools of thoughts,
(2) eventually proposing, implementing and
(3) testing new revolutionary approaches to create a game-changing or disruptive innovation which not only solves the problem but makes all previous solutions (and problems) obsolete.
Let’s take a step back and look across the security news headlines again, and you will soon realize that most of the articles are still at point (1), and rarely do you come across any research at (2) or at (3). As an IT security researcher, this is the main concern I have with my industry.
Most security researchers are still comfortable with identifying flaws or racing to be the first to find out zero-day vulnerabilities. However, wait a minute, is this productive, and isn’t erring human? If that is the case, why is it surprising to find flaws in new software or applications?
Yes, one can point out that mobile phones or even modern automobile systems have security flaws, but is this newsworthy? Are they revolutionary and did they help to make the situation better or worse?
If a fire breaks out, which kind of people would you prefer? The ones who incessantly scream: “Look, there is a fire!” or the ones who actually put out the fire and then gather together to design the place to be more fire safe in the future?
Being a critic is easier than being an innovator or being the engineers who labor through several hours or even years to create something beautiful and useful for society. So, are most IT security researchers really helping the situation or just simply pointing fingers?
Granted, they report the flaws to the software companies in the hope that the companies will fix them, but how many actually follow through to create that quantum leap to prevent similar events from happening? Apart from fear mongering, what else can they achieve?
We already have enough digital garbage, and generating more ‘research’ which reveals nothing but flaws and offering no solutions will make the cycle reactionary and unsustainable. This eventually makes the race more and more difficult for the ‘good guys’.
There needs to be research which genuinely addresses the reactionary nature of security solutions, and works to outsmart impending security threats. That’s what we are striving to do at HP Labs’ Cloud and Security Lab based in Singapore, Bristol and Princeton.
For example, we have a number of researchers working on long-term and impending cloud security issues such as our TrustCloud project that addresses key issues and challenges in achieving a trusted and accountable cloud through the use of detective controls via technical and policy-based approaches, and our G-Cloud project that is a program to develop a cloud infrastructure with government grade security, while maintaining flexibility and efficiency and making sure that services are protected against future cyber attacks.
An encouraging trend is the recent rising interest from both academia and government-linked research institutions in addressing security issues via fundamental research methodologies. For example, just a few years ago, expensive biometrics-based security research was all the rage as there was an urgent need to solve serious authentication breaches.
Interestingly, it took a simple proposal of a two-factor authentication (2FA) (e.g. one-time passwords) to eradicate the need for elaborate biometrics equipment as the novel approach simply leverages existing tools such as our mobile devices or platforms.
This kind of disruptive innovation is what the security industry need to see, so that it changes the playing field for the “bad guys” and delays the time that they take to outsmart the systems. Oh yes, 20-year-old problems such as buffer overflow still exist. I wonder why…
Cross-posted from Following the White Rabbit
