ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Hardware

Server platforms Toolkit

Is it boom time for IT security?

John McCormick Tech Republic

Published: 24 Feb 2003 11:50 GMT

Anyone wanting to continue the debate over which software approach to security is more useful, proprietary/closed source (e.g., Microsoft) or open source, will be interested in the work of Cambridge don, Ross Anderson, the head of security for the University of Cambridge Computer Library.

Anderson has said that there is little difference between the security of open source and proprietary software. He believes that what's most important in software security is how fast new vulnerabilities are produced and how quickly they are applied in the real world.

His conclusion that open source is not more secure is based on the fact that attackers always have an easier job than defenders, if only because they only have to find one hole, while defenders have to protect everything. Given this argument, it follows that although it may be easier to discover problems and produce patches for open source software, it's also easier for attackers to analyse it for vulnerabilities.

This doesn't make open source extremely vulnerable, according to Anderson. What it does is level the playing field so much that there is no obvious reason to select open source over proprietary products for security reasons. This is simply a critical analysis of the various conditions involved.

If you want to take issue with Anderson's conclusions, you first need to read his full statistical analysis, Security in Open versus Closed Systems -- The Dance of Boltzmann, Coase and Moore. Anderson's Web site is also interesting because it focuses on the economics of security.

Final word

Every indication is that security professionals will face massively increasing demands in 2003 and in the years ahead. No matter what software you support now or are trained to manage, I think the most important piece of information you can take away from this column is the IDC study, which predicts a 25 percent compound annual growth in the cybersecurity hardware market over the next five years. Someone has to manage the purchasing, installation, and operation of that hardware.

IT pros who can develop a skilled and professional approach to security will be able to manage the variety of systems and platforms that companies select from among the many vendors now vying for a share of the security gold mine. The days of worker shortages and big signing bonuses may be long gone for dot-com Web designers, but they may be just beginning for security professionals.

For a weekly round-up of the enterprise IT news, sign up for the Enterprise newsletter.

Tell us what you think in the Enterprise Mailroom.