Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/30/2019
02:00 PM
Kaan Onarlioglu
Kaan Onarlioglu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming 'Tangible Security' into a Competitive Advantage

Today's consumers want to see and touch security. Meeting this demand will be a win-win for everyone, from users to vendors to security teams.

I have no qualms about postulating that the average technology consumer is well aware of security and privacy issues littering the Internet. That's not to say everyone is motivated to act on these problems, but even many less-than-tech-savvy consumers are continuously exposed to news of vulnerabilities, reports of breaches, and even politics and legislation that attempt to regulate all this chaos. Consumers surely know.

Things were different in the early 2000s. I remember sitting in a security class in college, where the professor disappointedly opined that security isn't a product feature and was therefore doomed to take a backseat to other business priorities. Security, he said, was a mere attribute of quality, a nonfunctional requirement in engineering parlance. A technical detail under the hood, completely invisible to the consumer.

This is in stark contrast with the capabilities and presentation of a product, which all factor into functional requirements: features that consumers can directly observe, interact with, and therefore appreciate as added value. If you can't show your customers how secure your product is, why try to tell them about it? Why invest in security in the first place?

I should clarify that I'm not talking about security products, such as web application firewalls or malware scanners. In those cases, it's natural that security capabilities of the product would take center stage. The real question is, what about everything else?

How to Mold Security into a Tangible Feature
The heightened security awareness that permeates the IT landscape is an untapped opportunity for vendors to commit to tangible security features, and transform that investment into a competitive edge. Perhaps a sign of the times to come, big players like Apple have for some time flaunted how they build security and privacy into their products. However, let me point you to a less ubiquitous product: Signal, a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger LLC.

Signal isn't the most refined messaging application out there. It does get cryptography right, but so do some competitors. What sets Signal apart is how it positions itself as the messaging application for the security conscious crowd and drives that home by empowering users with meaningful privacy features.

For example, security often has a usability overhead such as the authentication of communication endpoints, which may require communicating parties to verify each other's identity out-of-band. Technologies like GPG-based email encryption front ends often hide these details, and instead save this cumbersome task for power users who seek that added assurance.

In contrast, Signal includes user verification as an explicit step when adding new contacts, integrates the process into its user interface, and eases the usability burden by utilizing QR codes. In the end, Signal doesn't even come close to solving this age-old problem but still transforms endpoint authentication into a palatable feature rather than hiding it from sight.

Signal also could have implemented a robust end-to-end encryption protocol and called it a day. Instead, it has positioned privacy as a pivotal product feature from the get-go, and carved out a market among the stiff competition thanks to that.

Stellar Security vs. Mediocre Performance?
Do consumers value security enough to give ground on other, more conventional feature expectations? Put another way, can vendors successfully position their stellar security to offset mediocre performance, inferior usability, or difficult integration? We're not quite there yet, and I do realize that Signal is more an aberration than the bellwether.

That said, today security can be designed as a feature that stands on its own. And it should be. As we rapidly approach a day when security may trump other priorities, it's time to start thinking about how security applies to core feature design principles. That won't be an easy task. Engineering needs to transform security into functional requirements deeply embedded into user experience. Marketing needs to advocate security and bolster consumer relationships aligned with the ever-changing threat landscape. Management needs to support this entire strategic change.

The time is right to make security a tangible product feature. Consumers want to see and touch security, and meeting this demand will help vendors stay ahead of the game. It's a win-win situation.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.