Are All Security Vulnerabilities Preventable?

Add Your Comments

WINSTON SAUNDERS<BR/>IntelWINSTON SAUNDERS
Intel

Winston Saunders has worked at Intel for nearly two decades and currently works on making the data center more secure and efficient. Winston is a graduate of UC Berkeley and the University of Washington. You can find him online at “Winston on Energy” on Twitter.

As a relative newcomer to the security arena, it’s taken some OJT (on the job training), a birth (or two) by fire, and some blood, sweat, and tears to start “seeing my way.” While information security is a complex field, I like to think that what I may still lack in direct experience I can, in some ways, make up with an open mind, broad experience, and some “out of the box” thinking.

A big part of my job is developing systems and processes to detect and prevent product vulnerabilities at their earliest possible (and least costly) points in the architecture and design phases of program execution.

Changing the Mindset

Several years ago, I worked in a manufacturing environment where one had to be careful around hazardous energies, chemicals, ergonomic risks, etc. The risks are very real; a mistake in the wrong place at the wrong time could result in serious chronic or acute injury. But in reality, actual workplace exposures were very low.

The difference was mindset. In some industrial environments, workers just acquiesce to the idea that “accidents are unavoidable.” They presume because it’s dangerous stuff that danger is inherent in the work. But experience shows that is flat-out wrong.  The correct mindset is that “all accidents are preventable.” In industrial settings, systems and procedures can and should be put in place to reduce risk and prevent accidents. And, if an accident happens, systems should be examined and improved to ensure the accident doesn’t occur again. All accidents are preventable. This mindset change has been shown over time to be incredibly effective in reducing accidents and injuries.

Security Vulnerabilities Are Preventable

Today one can read that “many hackings were preventable,” as if all were not. That “many device vulnerabilities are preventable” , as if some vulnerabilities are unavoidable.

But aren’t designed-in security vulnerabilities just “accidents” in the development process, and aren’t all accidents preventable?  It’s time for us, as an industry, to borrow a page from the industrial safety playbook. Just as industrial accidents are preventable, so are security vulnerabilities. As I look at vulnerability detection and prevention measures common in software and hardware development, we need to adopt a more aggressive stance. I believe this also applies to building automation systems.

“All vulnerabilities are preventable.”

Can  mindset change alone guarantee that that no security breaches will happen? Of course not. Systems are not perfect. When problems occur effort must be expended to understand and address root cause. But if we accept that we can learn and improve systems and processes to continuously eliminate vulnerabilities, we will at least defer from the dangerous attitude of inevitability. All vulnerabilities are preventable.

One of my colleagues here at Intel is fond of saying, “security isn’t special.” In a sense he may be right. Isn’t information security in many ways a play from an older playbook of risk mitigation and continuous improvement, applied to a new and exciting context?

Industry Perspectives is a content channel at Data Center Knowledge highlighting thought leadership in the data center arena. See our guidelines and submission process for information on participating. View previously published Industry Perspectives in our Knowledge Library.

Add Your Comments

  • (will not be published)