Holy Hash!

#security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!

Dump anti-virus and move to secure-by-design?

I stumbled across an article this morning that analyses the threat to the mobile devices from malware and comes to the conclusion that it is not likely a good idea to  have an anti-virus on your mobile.

mobiliesecurity01The premises are that only a very few of the mobile devices are currently infected, so the conclusion is that the infection is unlikely, plus that anti-virus software is terribly ineffective at catching the malware. The author concludes that the industry is best off to dump anti-virus on mobile and move to secure-by-design hardware and software.

I wholeheartedly agree that moving to secure-by-design devices would be excellent. I personally prefer an old trustworthy Nokia rather than any new fashionable smart phones for making calls and reading RSS. On the other hand, there is a couple of problems with the analysis and the proposition itself.

First, the apparent absence of the malware infection on the phones says nothing about either the actual infection or the possibility of infection. The mobile malware may get better tomorrow and the levels will jump overnight. Or perhaps we do not analyse it properly. The likelihood of infection is not a function of the current rate of infection.

Moreover, asking the mobile industry to make secure devices is vain. This is the same as asking the software industry to make secure software. They are just not going to. Security costs money, security is a cost for the manufacturer and they will reduce it through the floor if they can.

Secure-by-design is only going to happen when the costs of security breaches stop being externalities for the producer. As long as customers bear the costs, security remains the problem of the customer.

About these ads

Single Post Navigation

2 thoughts on “Dump anti-virus and move to secure-by-design?

  1. Daniel on said:

    Manufacturers usually try to minimize operational expenses, which increase the cost of each device in production. As for security-wise design decisions, if done at a proper level would be a one-time investment. Which could also protect even from bad software design decisions at application levels.

  2. Yes, it would, wouldn’t it? And how often do we see that happen? There is never funding for three essential things: architectural design, security and quality assurance. How can we change that?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 110 other followers

%d bloggers like this: