Whisper it softly, but times are changing

The security systems vendors have been coming in for a good kicking recently. As one speaker put it at the SC Conference last month: "What's the difference between a used-car salesman and a computer security salesman? The used-car salesman knows he's lying."

The message is that companies are peddling sub-standard products that just don't work properly, and that most of the people selling them don't understand what they are trying to get customers to buy.

This was bolstered a few days later by a meeting hosted by the DTI where the SANS Institute revealed its latest Top 20 vulnerabilities in widely used software. Apart from going through the hackers' favourite entry-points for causing trouble, the meeting fired a general broadside at the whole vendor community, accusing it of a "Let's blame the user" approach.

The answer, according to SANS research director Alan Paller, is to get the Government to use its mighty purchasing power to demand better security in the products it buys.

He gave a few examples of US government departments and the US Air Force, where in exchange for a nice juicy order, software companies (usually Microsoft or Oracle) had supplied properly hardened, locked-down versions of their products, rather than placing the burden on the users to do the work.

If governments use their muscle, he said, the software suppliers could be persuaded to supply decent products to everybody.

Of course, that is the reason why the Jericho Forum has started to have such an influence in the market. This group of large users, which started in the UK, but which has quickly acquired disciples worldwide, has raised the level of debate in the industry and has shown the influence that a well-organised group of users can exert.

By spelling out the kind of world they want in three to five years' time – in a word, 'deperimeterised' – they have begun to alter the balance of power between the supply and demand side of the market. They are specifying what will be needed, and determining what the suppliers will develop in future, if they know what's good for them.

So I think we have the first murmurings of a revolution here. People are daring to point out that the Emperor has no clothes – or in this case, that we have an industry based on products going wrong all the time and needing to be constantly patched.

Instead of feeling put upon, the vendors need to see this as an opportunity. After all, they have lots of big users actually explaining what they want to buy. All they have to do now is go away and make products that deliver to those specifications, and they have guaranteed business.

Ron Condon is editor-in-chief of SC Magazine