Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

7/30/2019
02:00 PM
Kaan Onarlioglu
Kaan Onarlioglu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Transforming 'Tangible Security' into a Competitive Advantage

Today's consumers want to see and touch security. Meeting this demand will be a win-win for everyone, from users to vendors to security teams.

I have no qualms about postulating that the average technology consumer is well aware of security and privacy issues littering the Internet. That's not to say everyone is motivated to act on these problems, but even many less-than-tech-savvy consumers are continuously exposed to news of vulnerabilities, reports of breaches, and even politics and legislation that attempt to regulate all this chaos. Consumers surely know.

Things were different in the early 2000s. I remember sitting in a security class in college, where the professor disappointedly opined that security isn't a product feature and was therefore doomed to take a backseat to other business priorities. Security, he said, was a mere attribute of quality, a nonfunctional requirement in engineering parlance. A technical detail under the hood, completely invisible to the consumer.

This is in stark contrast with the capabilities and presentation of a product, which all factor into functional requirements: features that consumers can directly observe, interact with, and therefore appreciate as added value. If you can't show your customers how secure your product is, why try to tell them about it? Why invest in security in the first place?

I should clarify that I'm not talking about security products, such as web application firewalls or malware scanners. In those cases, it's natural that security capabilities of the product would take center stage. The real question is, what about everything else?

How to Mold Security into a Tangible Feature
The heightened security awareness that permeates the IT landscape is an untapped opportunity for vendors to commit to tangible security features, and transform that investment into a competitive edge. Perhaps a sign of the times to come, big players like Apple have for some time flaunted how they build security and privacy into their products. However, let me point you to a less ubiquitous product: Signal, a cross-platform encrypted messaging service developed by the Signal Foundation and Signal Messenger LLC.

Signal isn't the most refined messaging application out there. It does get cryptography right, but so do some competitors. What sets Signal apart is how it positions itself as the messaging application for the security conscious crowd and drives that home by empowering users with meaningful privacy features.

For example, security often has a usability overhead such as the authentication of communication endpoints, which may require communicating parties to verify each other's identity out-of-band. Technologies like GPG-based email encryption front ends often hide these details, and instead save this cumbersome task for power users who seek that added assurance.

In contrast, Signal includes user verification as an explicit step when adding new contacts, integrates the process into its user interface, and eases the usability burden by utilizing QR codes. In the end, Signal doesn't even come close to solving this age-old problem but still transforms endpoint authentication into a palatable feature rather than hiding it from sight.

Signal also could have implemented a robust end-to-end encryption protocol and called it a day. Instead, it has positioned privacy as a pivotal product feature from the get-go, and carved out a market among the stiff competition thanks to that.

Stellar Security vs. Mediocre Performance?
Do consumers value security enough to give ground on other, more conventional feature expectations? Put another way, can vendors successfully position their stellar security to offset mediocre performance, inferior usability, or difficult integration? We're not quite there yet, and I do realize that Signal is more an aberration than the bellwether.

That said, today security can be designed as a feature that stands on its own. And it should be. As we rapidly approach a day when security may trump other priorities, it's time to start thinking about how security applies to core feature design principles. That won't be an easy task. Engineering needs to transform security into functional requirements deeply embedded into user experience. Marketing needs to advocate security and bolster consumer relationships aligned with the ever-changing threat landscape. Management needs to support this entire strategic change.

The time is right to make security a tangible product feature. Consumers want to see and touch security, and meeting this demand will help vendors stay ahead of the game. It's a win-win situation.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kaan Onarlioglu is a researcher and engineer at Akamai who is interested in a wide array of systems security problems, with an emphasis on designing practical technologies with real-life impact. He works to make computers and the Internet secure — but occasionally ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17229
PUBLISHED: 2020-02-24
includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues.
CVE-2020-9374
PUBLISHED: 2020-02-24
On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vulnerability in the diagnostics area can be exploited when an attacker sends specific shell metacharacters to the panel's traceroute feature.
CVE-2019-12510
PUBLISHED: 2020-02-24
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypass all authentication checks on the device's "NETGEAR Genie" SOAP API ("/soap/server_sa") by supplying a malicious X-Forwarded-For header of the device's LAN IP address (192.168.1.1) in every request. As a resul...
CVE-2019-12511
PUBLISHED: 2020-02-24
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being e...
CVE-2019-12512
PUBLISHED: 2020-02-24
In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execute stored XSS attacks against this device by supplying a malicious X-Forwarded-For header while performing an incorrect login attempt. The value supplied by this header will be inserted into administrative logs, found at Advanced ...