Due to not keeping pace with software innovations, Information Security has been incurring Technical Debt since 1995. The Information Security Debt Clock tracks the time since the Web security architecture based on Network Firewalls and SSL was first deployed:
Technical Debt occurs when "During the planning or execution of a software project, decisions are made to defer necessary work...The list can grow quite long, with some items surviving across multiple development cycles."
Related idea -- intrusion debt.
Posted by: Richard Bejtlich | March 24, 2009 at 07:55 AM
http://taosecurity.blogspot.com/2008/11/fast-moneys-transparency-and-digital.html
Posted by: Richard Bejtlich | March 24, 2009 at 07:55 AM
Oh dood, you totally forgot that Cloud computing can utilize AV! The Cloud is saved!!
Posted by: Andre Gironda | March 24, 2009 at 01:06 PM
Gunnar,
As I commented last time in person. I believe you have to add "Application Firewall" to the list of protections security vendors have cooked up. The addition serves the purpose of showing that the security industry THINKS it's made an evolutionary jump away from network-only security (it's an 'application' firewall after-all).
Yet, anyone reading this blog will snicker at the absurdity of this control. Analyzing the data for content does little against even tired web-attacks when the tools get messed up by switching the order of URL parameters, when they can't be deployed to monitor/protect SSL connections with any reasonable performance, when the extent of their rule languages reduce to 'grep' and they can't handle analysis across requests in a stateful connection.
Posted by: jOHN | April 03, 2009 at 06:13 PM