Dump anti-virus and move to secure-by-design?

I stumbled across an article this morning that analyses the threat to the mobile devices from malware and comes to the conclusion that it is not likely a good idea to  have an anti-virus on your mobile.

mobiliesecurity01The premises are that only a very few of the mobile devices are currently infected, so the conclusion is that the infection is unlikely, plus that anti-virus software is terribly ineffective at catching the malware. The author concludes that the industry is best off to dump anti-virus on mobile and move to secure-by-design hardware and software.

I wholeheartedly agree that moving to secure-by-design devices would be excellent. I personally prefer an old trustworthy Nokia rather than any new fashionable smart phones for making calls and reading RSS. On the other hand, there is a couple of problems with the analysis and the proposition itself.

First, the apparent absence of the malware infection on the phones says nothing about either the actual infection or the possibility of infection. The mobile malware may get better tomorrow and the levels will jump overnight. Or perhaps we do not analyse it properly. The likelihood of infection is not a function of the current rate of infection.

Moreover, asking the mobile industry to make secure devices is vain. This is the same as asking the software industry to make secure software. They are just not going to. Security costs money, security is a cost for the manufacturer and they will reduce it through the floor if they can.

Secure-by-design is only going to happen when the costs of security breaches stop being externalities for the producer. As long as customers bear the costs, security remains the problem of the customer.

Security Assurance vs. Quality Assurance

7033818-3d-abbild-monster-mit-investigate-linseIt is often debated how Quality assurance relates to Security assurance. I have a slightly unconventional view of the relation between the two.

You see, when we talk about the security assurance in software, I view the whole process in my head end to end. And the process runs roughly like this:

  • The designer has an idea in his head
  • The software design is a translation of that into a document
  • Development translates the design into the code
  • The code is delivered
  • Software is installed, configured and run

Security, in my view, is the process of making sure that whatever the designer was thinking about in his head ends up actually running at the customer site. The software must run exactly the way the designer imagined, that is the task.

Now, the software has to run correctly both under the normal circumstances and under really weird conditions, i.e. under attack. So the Quality Assurance takes the part of verifying that it runs correctly under normal circumstances while Security Assurance takes care of the whole picture.

Thus Quality Assurance becomes an integral part of Security Assurance.