I attended a client's Christmas lunch yesterday. Together we were a nice formiddable cluster of forces with lots of proven talents in our own fields — engineers, executives, lawyers, strategists, and investors. At one point we talked about the current and near future security landscape and, frankly, the picture looks real good for security technology companies.
Most notable change was that the bad guys are focusing more on ways to attack at the infrastructure level, not only taking advantage of existing vulnerabilities but boldly creating their own. For example, selling Cisco router clones with compromised firmware means they can gain full control over all the packets passing through those routers anytime they want.
With the world full of bad guys, working hard constantly to create new market opportunities for security companies, profit for those companies hangs in the balance between hope and despair. With too much of either, disbelief kicks in. While finding the right balance is difficult to do as a group, security technology market ecosystem is IMHO better than others such as open source market (create a useful jungle of a mess en masse, sell survival manuals and cleanup service), although not as good as the one defense companies have.
It's not just the criminals who are working hard. Folks at Secunia have discovered another mind-wheeling IE vulnerability. If you look at how it's implemented (view source on the page), you can see that it takes no more than a few minutes to mimick any website your want with minimal hassle.
If you are in the software business, you shouldn't despair. The good news (?) is that highly critical vulnerabilities encourage users to update their software at unprecedented rate. For example, this Acrobat Reader vulnerability, which allows hackers to run their code as soon as someone opens a compromised PDF file available over the web, means everyone with Acrobat Reader should update.
The added bonus for developers is that hassles of supporting legacy code can be easily blasted away with vulnerabilities (we really want to support legacy browsers, but we can't for security reasons) and creates new opportunities (Foo Explorer is full of bugs, get Foofox).
So are we winning the war against hackers? You bet. While the flow of vulnerabilities (hole flow?) will not stop until all of us are buried and stomped on for good measure, the good guys are making a lot more money than the bad guys. Winning is easy if you are more flexible with the definition of 'we'.
Sorry guys. I am feeling a little sarcastic (insanely optimistic?) today. Maybe a nap will help.
Anyway, I have a big poker game tonight, a poker tournament finale with winners and runner ups from previous tournaments. I attended only one tournament but managed to knockout enough players to secure my spot. Odds are against me though. Since I attended only one tournament, I don't know most of tonight's players and I haven't had any time to plan my strategy. On top of that, I had only four hours of sleep last night. So I'll have to wing it as I go and try to stay awake though the slugging fest.