Firewall Wizards mailing list archives
Re: The Future of Security
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Tue, 30 Nov 1999 19:36:39 -0500
I am interested to know where the experts see the security industry move towards during the next 1-5 years. What security skills are in demand today and what will be needed in the future?
My guess is that not much will change at the broad level. Most of the security problems we have today (active content, transitive trust, trojan horses, firewall permeability) are problems we have had for a long time. Security experts' most crucial skills, in my opinion, are the ability to synthesize common sense from a large number of conflicting and apparently unconnected inputs. In other words, you need to see the forest and the trees, and understand how trees imply forests and vice versa. That's a useful skill in just about any profession, from security analyst to stock broker, CEO, or restaurant owner. On the technical side, I think the biggest issue for all of us will be making sense of the bewilderingly complex menu of offerings in modern networks. What, of a host of options, works, and what does not - and why. This is going to be particularly dicy when it comes to all the myriads of new applications which are and will be coming out. My prediction is that security experts will specialize into niches based on what they're interested in. Others will specialize in tying together many niches. Some of this process has been going on for a long time. For example, there are security folks whose entire focus is NT, or Netware, or Java, or browsers. There are others who don't focus on details but worry about the implications of combined security issues in how (for example) browsers interact with NT. To me, what's endlessly fascinating about the field is that the vulnerabilities and problems relate to the cross product of entities deployed. For example, if you are worried about security of browsers on Win98, NT, UNIX, and Macs, and there are 2 (let's keep it simple!) browsers for those platforms, there are 8 or so different problem domains to worry about at a detailed level, and 4 or 2 at a higher level. Keeping track of that kind of stuff is going to be full-time jobs for a lot of smart people. Another place I see security heading in the next 5 years is the whole issue of tracking users to their actions over the Internet. Depending on what laws get passed, etc, that could be a very interesting problem. It's going to be directly related to whatever resolution occurs with respect to the problems in Ecommerce, online auctions, denial of service, spamming, etc. These are all places where Internet society is torn between its love of anonymity and its desire to catch and strangle miscreants. I think many things will become appliances, as computers move into an ever-increasing household penetration. This will bring up new sets of problems. What if someone hacks your toaster oven? OK, that's probably not realistic, but what about Dreamcast, and Playstation 2, which will have humongous installed bases and which will all run IP?? My Dreamcast has a browser and a terrifying logo on the front that it is made for Windows CE. Again, there will be fascinating niches for specialization. About the only thing that scares me is that security may become a problem that everyone hates because it never goes away. I don't want to see security experts lumped in with lawyers and insurance salespeople, as "people you hate to but have to do business with." Security, eventually, will have to solve something. Someday. Of course, I'm one of the security guys that operates at the "forest level" rather than the "tree level" (I got sick of building trees!) and at the forest level a lot of our problems appear to be unsolvable. Sorry to ramble! mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- The Future of Security Mark Veronda (Nov 30)
- Re: The Future of Security Marcus J. Ranum (Nov 30)