« What is it you would say that you do here? | Main | Some Thoughts on Threat Modeling for the Cloud »



There are no big public pure software usability, software safety, or software packaging firms either. That's partly because—even though we can convince ourselves that we can add security to a network after the fact—nobody involved in securing software believes such is possible for software.

Michael Janke

What about McAfee and Symantec? My organization certainly isn't sending them hundreds of thousands of dollars per year because we like their logos. I'm pretty sure that we write them checks because they make an attempt at securing our software.

For the software companies you've listed, you'd have to take a stab at sorting out the fraction of their resources that they spend on security within their product suite. Oracle, for example, has a long list of security addons and features which presumably cost them time an money to develop, test, etc.

You also discount the internal software development costs related to writing secure applications. Presumably somebody, somewhere is doing internal code reviews of the software that they wrote....

I'd say you have to do a bit more work before flinging out numbers like these.


I think I am pretty conservative in estimating the size of the software indsutry, it could be fair to look at Symantec and friends against Microsoft, but they don't really do anything to protect SAP, Oracle, IBM or any of the others.

It is a cocktail napkin after all, but I am pretty confident that 1) I have covered the majority of the network market and 2) I have not even covered HALF of the software market (no Apple Google, HP Outsourcers, Salesforce, on and on) . So if anything in "flinging" these numbers out, I have tried to be overly fair to the network side and underestimate the software side (in terms of assets). Nevertheless the results are still damning.

Brian B

I'd guess this is another variant of Mythical Man Month: the need for specialized Security Software is too abstract for 'Bean-Counters', so they just buy more hardware.


Firstly sorry for showing up late to this thread. Your tweet about Montier caught my eye (though the WSJ link was broken :(

I think we're on the same page here. I wrote some time ago about information security being 'Pareto inverted' - http://wp.me/pwN6G-5

@Brian is spot on the application security should be built in rather than bolted on, but @Michael is also right that there's a healthy (and somewhat publicly traded) market in bolt ons above the network layer.

I see two problems here in the transition. The first is simple inertia - we can't stop doing the network stuff. At the very least it 'keeps the lumps out' as an old colleague of mine (now at Juniper) used to say. Also the regulators won't let us give up the old defences. The second is verifyability. Bolt on solutions provide a simple place for auditors to insert a check, and check a box. Built in solutions require built in understanding, and we don't really have the tools for that yet.


@cpswan to fix ongoing misallocation of security budget dollars solution is to pay less, pay 50 cents on the dollar for 1995 tech

The comments to this entry are closed.