Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/30/2019
02:00 PM
Kaan Onarlioglu
Kaan Onarlioglu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming 'Tangible Security' into a Competitive Advantage

Today's consumers want to see and touch security. Meeting this demand will be a win-win for everyone, from users to vendors to security teams.

I have no qualms about postulating that the average technology consumer is well aware of security and privacy issues littering the Internet. That's not to say everyone is motivated to act on these problems, but even many less-than-tech-savvy consumers are continuously exposed to news of vulnerabilities, reports of breaches, and even politics and legislation that attempt to regulate all this chaos. Consumers surely know.

Things were different in the early 2000s. I remember sitting in a security class in college, where the professor disappointedly opined that security isn't a product feature and was therefore doomed to take a backseat to other business priorities. Security, he said, was a mere attribute of quality, a nonfunctional requirement in engineering parlance. A technical detail under the hood, completely invisible to the consumer.

This is in stark contrast with the capabilities and presentation of a product, which all factor into functional requirements: features that consumers can directly observe, interact with, and therefore appreciate as added value. If you can't show your customers how secure your product is, why try to tell them about it? Why invest in security in the first place?

I should clarify that I'm not talking about security products, such as web application firewalls or malware scanners. In those cases, it's natural that security capabilities of the product would take center stage. The real question is, what about everything else?

How to Mold Security into a Tangible Feature
The heightened security awareness that permeates the IT landscape is an untapped opportunity for vendors to commit to tangible security features, and transform that investment into a competitive edge. Perhaps a sign of the times to come, big players like Apple have for some time flaunted how they build security and privacy into their products. However, let me point you to a less ubiquitous product: Signal, a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger LLC.

Signal isn't the most refined messaging application out there. It does get cryptography right, but so do some competitors. What sets Signal apart is how it positions itself as the messaging application for the security conscious crowd and drives that home by empowering users with meaningful privacy features.

For example, security often has a usability overhead such as the authentication of communication endpoints, which may require communicating parties to verify each other's identity out-of-band. Technologies like GPG-based email encryption front ends often hide these details, and instead save this cumbersome task for power users who seek that added assurance.

In contrast, Signal includes user verification as an explicit step when adding new contacts, integrates the process into its user interface, and eases the usability burden by utilizing QR codes. In the end, Signal doesn't even come close to solving this age-old problem but still transforms endpoint authentication into a palatable feature rather than hiding it from sight.

Signal also could have implemented a robust end-to-end encryption protocol and called it a day. Instead, it has positioned privacy as a pivotal product feature from the get-go, and carved out a market among the stiff competition thanks to that.

Stellar Security vs. Mediocre Performance?
Do consumers value security enough to give ground on other, more conventional feature expectations? Put another way, can vendors successfully position their stellar security to offset mediocre performance, inferior usability, or difficult integration? We're not quite there yet, and I do realize that Signal is more an aberration than the bellwether.

That said, today security can be designed as a feature that stands on its own. And it should be. As we rapidly approach a day when security may trump other priorities, it's time to start thinking about how security applies to core feature design principles. That won't be an easy task. Engineering needs to transform security into functional requirements deeply embedded into user experience. Marketing needs to advocate security and bolster consumer relationships aligned with the ever-changing threat landscape. Management needs to support this entire strategic change.

The time is right to make security a tangible product feature. Consumers want to see and touch security, and meeting this demand will help vendors stay ahead of the game. It's a win-win situation.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
The Yellow Brick Road to Risk Management
Andrew Lowe, Senior Information Security Consultant, TalaTek,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: He hits the gong anytime he sees someone click on an email link.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29070
PUBLISHED: 2020-11-25
osCommerce 2.3.4.1 has XSS vulnerability via the authenticated user entering the XSS payload into the title section of newsletters.
CVE-2020-26212
PUBLISHED: 2020-11-25
GLPI stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.3, any authenticated user has read-only permissions to the planning of ever...
CVE-2020-26243
PUBLISHED: 2020-11-25
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded...
CVE-2020-25650
PUBLISHED: 2020-11-25
A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service fo...
CVE-2020-29071
PUBLISHED: 2020-11-25
An XSS issue was found in the Shares feature of LiquidFiles before 3.3.19. The issue arises from the insecure rendering of HTML files uploaded to the platform as attachments, when the -htmlview URL is directly accessed. The impact ranges from executing commands as root on the server to retrieving se...