"I do agree that the low hanging fruit of security has been picked and now it's more about constant improvement. So we are unlikely to see many (if any) truly innovative solutions out there anytime soon. Of course, I can (and have been) be surprised, but it feels like we are stagnating a bit as an industry. Which kind of makes sense because the reality is security should be a feature of everything we are doing." - Mike Rothman.I don't 100% agree with Mike on this one, but I see where he's coming from. Richard Stiennon called both of us old men, just as I was forming some pretty neat ideas...
I posted earlier in the week about the new data breach laws coming into effect (hopefully) in the UK soon. Having done a little more research on it this afternoon, I found the notes from Bruce Schneier's interview with the select committee on Science and Technology (on Light Blue Touchpaper's article).
Bruce touched on a number of interesting areas, and kept it easy to understand without missing anything. I was impressed. Something which interested me a lot, due to recent conversations around the blogosphere was his notion that current security trends could "spark an industry in sandboxing... So if you are writing this piece of software and knowing that you cannot guarantee it is secure but want to sell it anyway, maybe there is an after-market product where you take your software, put it in, wrap it around, and that provides the security. To me, as soon as you set up these economic incentives, capitalism just solves the problems. Innovation is going to work. There will be hundreds of security products, of security add-ins, of security toolkits."
This brought to mind something Mark Curphey was talking about last week. He talked about the first millionaire in the California gold rush, not making his money from gold, but from selling shovels. I know Mark has an idea around the long tail of security, and he broadly agreed with my analogy of Web2.0 security from last week. So, could this be his plan? Actually, I don't want to know, if it is, I don't want to give the game away. I haven't got the first clue how you would go about making a sandbox for all the current aggregators (Facebook, MySpace, LinkedIn, etc.), and the smaller apps that plug into them. It fits in nicely with my analogy of the long tail of security though. Now the 'house' (aggregator) and the 'extension' (plug-in app) are put into modular cubes which can fit on top of each other. This would make sense if the 'cubes' can be marked up properly for their properties and interaction with others.
I absolutely think this is where security will grow next, but how it will be achieved is a different matter. It's hard to achieve. It's like VMWare for security, and the platform doesn't exist yet. Mark's on his way to creating this and will no doubt do very well from it again.
Thinking outside the box, or network device, is something which is going to become ever more important as we move forwards.