Software Security and Security Software

mation security models or the fundamental building blocks used to create them. (A good example of this is “When Hashes Collide,” the first installment of the magazine’s newest department, Crypto Corner. Yet, we rarely read about security technology’s strengths and weaknesses in the specific hardware and software products used in real-world environments. Isn’t it curious that almost no published security product review or comparison explicitly assesses or provides any more than superficial details about products’ security? How could this be— especially considering that so many current technologies are deeply rooted in cryptography, a field that derives its evolution from an iterative attack-and-defend, prove-and-refute process and whose practitioners accept and embrace the idea of breaking and reinventing the very systems, algorithms, and tools that result from long hours of hard work? We can assume that cryptographers apply logic that’s not only fundamental to modern scientific development but that’s also been used for decades or, arguably, centuries. If that’s true, we could justify the lack of scientific rigor in security products by noting the information security industry’s immaturity or by including in the analysis other variables that drive its evolution. For such an analysis, we should at least consider the economic, cultural, political, and ideological backgrounds, as well as goals and motivations, of the organizations and individuals that shape the information security microcosm. Bearing in mind that humans drive the discipline’s evolution, and adding the weight of the author’s own subjectivity to the analysis, you’ll find this Attack Trends installment looks at the security vendor space—of which I am part—in search of new vulnerability types and attack trends.