Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/30/2019
02:00 PM
Kaan Onarlioglu
Kaan Onarlioglu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming 'Tangible Security' into a Competitive Advantage

Today's consumers want to see and touch security. Meeting this demand will be a win-win for everyone, from users to vendors to security teams.

I have no qualms about postulating that the average technology consumer is well aware of security and privacy issues littering the Internet. That's not to say everyone is motivated to act on these problems, but even many less-than-tech-savvy consumers are continuously exposed to news of vulnerabilities, reports of breaches, and even politics and legislation that attempt to regulate all this chaos. Consumers surely know.

Things were different in the early 2000s. I remember sitting in a security class in college, where the professor disappointedly opined that security isn't a product feature and was therefore doomed to take a backseat to other business priorities. Security, he said, was a mere attribute of quality, a nonfunctional requirement in engineering parlance. A technical detail under the hood, completely invisible to the consumer.

This is in stark contrast with the capabilities and presentation of a product, which all factor into functional requirements: features that consumers can directly observe, interact with, and therefore appreciate as added value. If you can't show your customers how secure your product is, why try to tell them about it? Why invest in security in the first place?

I should clarify that I'm not talking about security products, such as web application firewalls or malware scanners. In those cases, it's natural that security capabilities of the product would take center stage. The real question is, what about everything else?

How to Mold Security into a Tangible Feature
The heightened security awareness that permeates the IT landscape is an untapped opportunity for vendors to commit to tangible security features, and transform that investment into a competitive edge. Perhaps a sign of the times to come, big players like Apple have for some time flaunted how they build security and privacy into their products. However, let me point you to a less ubiquitous product: Signal, a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger LLC.

Signal isn't the most refined messaging application out there. It does get cryptography right, but so do some competitors. What sets Signal apart is how it positions itself as the messaging application for the security conscious crowd and drives that home by empowering users with meaningful privacy features.

For example, security often has a usability overhead such as the authentication of communication endpoints, which may require communicating parties to verify each other's identity out-of-band. Technologies like GPG-based email encryption front ends often hide these details, and instead save this cumbersome task for power users who seek that added assurance.

In contrast, Signal includes user verification as an explicit step when adding new contacts, integrates the process into its user interface, and eases the usability burden by utilizing QR codes. In the end, Signal doesn't even come close to solving this age-old problem but still transforms endpoint authentication into a palatable feature rather than hiding it from sight.

Signal also could have implemented a robust end-to-end encryption protocol and called it a day. Instead, it has positioned privacy as a pivotal product feature from the get-go, and carved out a market among the stiff competition thanks to that.

Stellar Security vs. Mediocre Performance?
Do consumers value security enough to give ground on other, more conventional feature expectations? Put another way, can vendors successfully position their stellar security to offset mediocre performance, inferior usability, or difficult integration? We're not quite there yet, and I do realize that Signal is more an aberration than the bellwether.

That said, today security can be designed as a feature that stands on its own. And it should be. As we rapidly approach a day when security may trump other priorities, it's time to start thinking about how security applies to core feature design principles. That won't be an easy task. Engineering needs to transform security into functional requirements deeply embedded into user experience. Marketing needs to advocate security and bolster consumer relationships aligned with the ever-changing threat landscape. Management needs to support this entire strategic change.

The time is right to make security a tangible product feature. Consumers want to see and touch security, and meeting this demand will help vendors stay ahead of the game. It's a win-win situation.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28973
PUBLISHED: 2021-04-21
The ABUS Secvest wireless alarm system FUAA50000 (v3.01.17) fails to properly authenticate some requests to its built-in HTTPS interface. Someone can use this vulnerability to obtain sensitive information from the system, such as usernames and passwords. This information can then be used to reconfig...
CVE-2021-29456
PUBLISHED: 2021-04-21
Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. In versions 4.27.4 and earlier, utilizing a HTTP query parameter an attacker is able to redirect users from the web application to any...
CVE-2021-31523
PUBLISHED: 2021-04-21
The Debian xscreensaver 5.42+dfsg1-1 package for XScreenSaver has cap_net_raw enabled for the /usr/libexec/xscreensaver/sonar file, which allows local users to gain privileges because this is arguably incompatible with the design of the Mesa 3D Graphics library dependency.
CVE-2020-23907
PUBLISHED: 2021-04-21
An issue was discovered in retdec v3.3. In function canSplitFunctionOn() of ir_modifications.cpp, there is a possible out of bounds read due to a heap buffer overflow. The impact is: Deny of Service, Memory Disclosure, and Possible Code Execution.
CVE-2020-23912
PUBLISHED: 2021-04-21
An issue was discovered in Bento4 through v1.6.0-637. A NULL pointer dereference exists in the function AP4_StszAtom::GetSampleSize() located in Ap4StszAtom.cpp. It allows an attacker to cause Denial of Service.