Re: The Future of Security

["Marcus J. Ranum" <mjr () nfr net>]

> I am interested to know where the experts see the security industry move
> towards during the next 1-5 years.  What security skills are in demand today
> and what will be needed in the future?


My guess is that not much will change at the broad level. Most of
the security problems we have today (active content, transitive
trust, trojan horses, firewall permeability) are problems we have had
for a long time.

Security experts' most crucial skills, in my opinion, are the ability
to synthesize common sense from a large number of conflicting and
apparently unconnected inputs. In other words, you need to see the
forest and the trees, and understand how trees imply forests and vice
versa. That's a useful skill in just about any profession, from
security analyst to stock broker, CEO, or restaurant owner.

On the technical side, I think the biggest issue for all of us will
be making sense of the bewilderingly complex menu of offerings in
modern networks. What, of a host of options, works, and what does
not - and why. This is going to be particularly dicy when it comes
to all the myriads of new applications which are and will be coming
out. My prediction is that security experts will specialize into
niches based on what they're interested in. Others will specialize
in tying together many niches. Some of this process has been going
on for a long time. For example, there are security folks whose
entire focus is NT, or Netware, or Java, or browsers. There are
others who don't focus on details but worry about the implications
of combined security issues in how (for example) browsers interact
with NT. To me, what's endlessly fascinating about the field is
that the vulnerabilities and problems relate to the cross product
of entities deployed. For example, if you are worried about security
of browsers on Win98, NT, UNIX, and Macs, and there are 2 (let's keep
it simple!) browsers for those platforms, there are 8 or so different
problem domains to worry about at a detailed level, and 4 or 2 at a
higher level. Keeping track of that kind of stuff is going to be
full-time jobs for a lot of smart people.

Another place I see security heading in the next 5 years is the
whole issue of tracking users to their actions over the Internet.
Depending on what laws get passed, etc, that could be a very
interesting problem. It's going to be directly related to whatever
resolution occurs with respect to the problems in Ecommerce, online
auctions, denial of service, spamming, etc. These are all places where
Internet society is torn between its love of anonymity and its desire
to catch and strangle miscreants.

I think many things will become appliances, as computers move
into an ever-increasing household penetration. This will bring
up new sets of problems. What if someone hacks your toaster oven?
OK, that's probably not realistic, but what about Dreamcast, and
Playstation 2, which will have humongous installed bases and
which will all run IP?? My Dreamcast has a browser and a terrifying
logo on the front that it is made for Windows CE. Again, there will
be fascinating niches for specialization.

About the only thing that scares me is that security may become
a problem that everyone hates because it never goes away. I don't
want to see security experts lumped in with lawyers and insurance
salespeople, as "people you hate to but have to do business with."
Security, eventually, will have to solve something. Someday.
Of course, I'm one of the security guys that operates at the
"forest level" rather than the "tree level" (I got sick of building
trees!) and at the forest level a lot of our problems appear to be
unsolvable.

Sorry to ramble!

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr