Will the Real IT Security Researcher Please Stand Up?

Sunday, February 12, 2012

Rafal Los


Article by Ryan Ko

In contrast to 10 years ago, security news and flaw reports are becoming common in the mainstream media.

It would not be long before we see a permanent section in technology news reporting security flaws from so-called security researchers. But is this ‘real research’ and is this information helping the situation in the long run?

Fundamentally, research involves a scientific and methodical approach to improving the state of the art. This involves:

(1) surveying the current strengths, limitations, and schools of thoughts,

(2) eventually proposing, implementing and

(3) testing new revolutionary approaches to create a game-changing or disruptive innovation which not only solves the problem but makes all previous solutions (and problems) obsolete.

Let’s take a step back and look across the security news headlines again, and you will soon realize that most of the articles are still at point (1), and rarely do you come across any research at (2) or at (3). As an IT security researcher, this is the main concern I have with my industry.

Most security researchers are still comfortable with identifying flaws or racing to be the first to find out zero-day vulnerabilities. However, wait a minute, is this productive, and isn’t erring human? If that is the case, why is it surprising to find flaws in new software or applications?

Yes, one can point out that mobile phones or even modern automobile systems have security flaws, but is this newsworthy? Are they revolutionary and did they help to make the situation better or worse?

If a fire breaks out, which kind of people would you prefer? The ones who incessantly scream: “Look, there is a fire!” or the ones who actually put out the fire and then gather together to design the place to be more fire safe in the future?

Being a critic is easier than being an innovator or being the engineers who labor through several hours or even years to create something beautiful and useful for society. So, are most IT security researchers really helping the situation or just simply pointing fingers?

Granted, they report the flaws to the software companies in the hope that the companies will fix them, but how many actually follow through to create that quantum leap to prevent similar events from happening? Apart from fear mongering, what else can they achieve?

We already have enough digital garbage, and generating more ‘research’ which reveals nothing but flaws and offering no solutions will make the cycle reactionary and unsustainable. This eventually makes the race more and more difficult for the ‘good guys’. 

There needs to be research which genuinely addresses the reactionary nature of security solutions, and works to outsmart impending security threats. That’s what we are striving to do at HP Labs’ Cloud and Security Lab based in Singapore, Bristol and Princeton. 

For example, we have a number of researchers working on long-term and impending cloud security issues such as our TrustCloud project that addresses key issues and challenges in achieving a trusted and accountable cloud through the use of detective controls via technical and policy-based approaches, and our G-Cloud project that is a program to develop a cloud infrastructure with government grade security, while maintaining flexibility and efficiency and making sure that services are protected against future cyber attacks.

An encouraging trend is the recent rising interest from both academia and government-linked research institutions in addressing security issues via fundamental research methodologies. For example, just a few years ago, expensive biometrics-based security research was all the rage as there was an urgent need to solve serious authentication breaches.

Interestingly, it took a simple proposal of a two-factor authentication (2FA) (e.g. one-time passwords) to eradicate the need for elaborate biometrics equipment as the novel approach simply leverages existing tools such as our mobile devices or platforms.

This kind of disruptive innovation is what the security industry need to see, so that it changes the playing field for the “bad guys” and delays the time that they take to outsmart the systems. Oh yes, 20-year-old problems such as buffer overflow still exist. I wonder why…

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Testing Zero Day Software Disclosure Application Security Research Vulnerabilities Exploits Information Security Infosec FUD Rafal Los Media
Post Rating I Like this!
Sara Hald I think it's very nice, that IT security has made it to the news. If nothing else, it raises awareness about the problem, and even my old mother knows to use anti-virus and protect her passwords these days. Also, I don't see why reporting on security issues is any different from other news? Sure, reporting on bank robberies and disasters and wars might add to the general fear of the populace, but the alternative - keeping people out of the loop "for their own sake" or for the convenience of the financial sector or the government - is not really that appealing. People have a right to know, and that goes for security issues as well.
And while it is certainly nice when game-changing solution make a new and better security environment, I don't think that all security researchers work towards that goal, nor should they. It's all well and good that some firemen sit down and try to find out how to eradicate the risk of housefires forever, but I still need someone to help when my house is on fire right now. If someone could make a better hose that extinguishes fire 5% better than the old one, that might not be a game-changer, but it will still save some houses. Most of the research work being done in security adds limited but valuable progress to the field as it is in most scientific areas.
Rafal Los For the record - I didn't write this article. It was written by Ryan Ko of the HP Labs group on his blog and got pulled into this syndication feed. I can't take credit for making you think :-)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.