Monday, February 14, 2005

Security starts with the user. If you aren't willing to ensure that only authorized users have access to sensitive systems, then you deserve what you get if your systems are penetrated. If you refuse to put locks on your door and someone steals your stuff, isn't that your fault?

The belief that open source is more secure is largely unfounded. Take Firefox -- a 1.0 product with two active support folks and a key designer who just left to work for Google. Yes, it works on a lot of sites just as Opera did when it was the hot browser; yes, it isn't (or wasn't) targeted by as many exploits; yes, it does seem faster (so did Opera). But if it used to be obscure, it certainly isn't today, and that means it will increasingly be targeted.

It is hard to figure out how many security vulnerabilities the product actually has. You can go to Security Focus and search on Mozilla as the vendor and then Firefox as the title and come up with 39. On Secunia, you'll see not only that the number of reported vulnerabilities is increasing, but also that 88 percent remain unpatched or only partially fixed. Internet Security Systems documents 62 security exposures, but I can't tell easily how many of those 62 have been corrected in the 1.0 product. At least some of the Mac folks are asking this question and concluding that the Apple browser is vastly more secure.

In the world I thought I lived in, if you ran around telling people to migrate to a 1.0 product over a 6+ product from a branded vendor, particularly when the 1.0 product only had two full-time support people, you'd be taken to a quiet padded cell. Firefox is getting a ton of press, and people will attack it. How will two people and a handful of volunteers be able to protect you? If you are in a company and are audited for this choice, the word "oops" doesn't protect you.

In the end it is your privacy, or your company's privacy, you are protecting. Stay focused on the bad guys, the people who want to steal your stuff, your identity and your piece of mind. Do your own research and think through the process. Don't think just of the exposures that exist today -- think ahead to the exposures you will need to address next week, next month and next year. You may make the same choices, but at least you'll be vastly better at defending those choices. Given the career implications, this approach will do a lot to cover your assets.