Conflict of Interest - My summary

["Mark Litchfield" <Mark () ngssoftware com>]

One point of view that was raised whereby it could possibly be determined 
that an OS vendor providing security applications to protect it's OS was a 
conflict of interest is as follows:

"IMHO I think the fear has always been that as long as an OS was closed 
source, that company owning that OS could write or have inside knowledge of 
vulnerability information that would benefit or promote that security 
product more than another company. This could almost be classified like 
insider trading."

Whilst this statement is somewhat true, many of the security vendors offer 
up many other enterprise solutions to their customers that are not all about 
protecting the end user from an 'attack'.

Whilst the install base may not be as big as that of an OS Vendor, many of 
these enterprise solutions can be critical to the daily operation of a 
business.  So any vulnerabilities found in these products, these security 
vendors can mitigate the risk at day zero by applying IPS / IDS signatures 
to their existing product range in the absence of a patch.

Are they likely to share this zero day information with their competition, I 
think not.

Also, is it really such a bad thing that an OS vendor who offers up Security 
Applications can immediately protect its customer base at almost day zero 
when a vulnerability has been reported to secure () whatever com by adding the 
protection capability within its Secuirity Apps.  At this point the vendor 
knows their customers in the interim are protected, whilst they get down to 
examining the area of code for the flaw, determine if there are any more 
vulnerabilities and then produce a patch.

Another good example is Oracle, they have their Database Vault, which is 
'designed' to add an additional layer of security to protect their database 
and their customer.  This is clearly a responsible approach, but I do not 
hear any complaints or shouts of a conflict of interest by those that 
produce 'Database IDS / IPS' solutions.

There will always be the argument that an OS vendor should not charge for 
the OS and then charge for the additional security protection, but for some 
vendors, they may have no other alternative as it may pave the way for a 
lawyers banquet which they would most likely lose in the end.  (I am no 
laywer, but one could easily forsee, every security vendor filing Anti-Trust 
law suits, they would have to, they need to protect their business and their 
shareholders)

There will also, always be the arguement from security vendors that (and 
lets be honest about it, they are only talking about Microsoft here), that 
MS should share zero day vulnerabilities with them so that they can offer 
the same level of protection within their security solutions.  This is 
unlikely to ever happen (would they share their zero days with MS ?)  Of all 
the applications out there, do they get zero day information from any other 
vendor such as Sun, IBM, HP, Apple etc, again I think not.

My original email, was to get a wider well informed view of opinions on the 
subject to determine if my belief was right / wrong.

So I guess my opinion in conclusion still stands, that ANY software vendor 
who looks to add additional layers of security (free or not), it (IMHO) is 
not a conflict of interest and serves the end user well.  By what ever means 
necessary, it should be the responsibility of the vendor to include / offer 
increased 'peace of mind'.

Thanks to all those that contributed

All the best

Mark