One point of view that was raised whereby it could possibly be determined
that an OS vendor providing security applications to protect it's OS was a
conflict of interest is as follows:
"IMHO I think the fear has always been that as long as an OS was closed
source, that company owning that OS could write or have inside knowledge of
vulnerability information that would benefit or promote that security
product more than another company. This could almost be classified like
insider trading."
Whilst this statement is somewhat true, many of the security vendors offer
up many other enterprise solutions to their customers that are not all about
protecting the end user from an 'attack'.
Whilst the install base may not be as big as that of an OS Vendor, many of
these enterprise solutions can be critical to the daily operation of a
business. So any vulnerabilities found in these products, these security
vendors can mitigate the risk at day zero by applying IPS / IDS signatures
to their existing product range in the absence of a patch.
Are they likely to share this zero day information with their competition, I
think not.
Also, is it really such a bad thing that an OS vendor who offers up Security
Applications can immediately protect its customer base at almost day zero
when a vulnerability has been reported to secure@whatever.com by adding the
protection capability within its Secuirity Apps. At this point the vendor
knows their customers in the interim are protected, whilst they get down to
examining the area of code for the flaw, determine if there are any more
vulnerabilities and then produce a patch.
Another good example is Oracle, they have their Database Vault, which is
'designed' to add an additional layer of security to protect their database
and their customer. This is clearly a responsible approach, but I do not
hear any complaints or shouts of a conflict of interest by those that
produce 'Database IDS / IPS' solutions.
There will always be the argument that an OS vendor should not charge for
the OS and then charge for the additional security protection, but for some
vendors, they may have no other alternative as it may pave the way for a
lawyers banquet which they would most likely lose in the end. (I am no
laywer, but one could easily forsee, every security vendor filing Anti-Trust
law suits, they would have to, they need to protect their business and their
shareholders)
There will also, always be the arguement from security vendors that (and
lets be honest about it, they are only talking about Microsoft here), that
MS should share zero day vulnerabilities with them so that they can offer
the same level of protection within their security solutions. This is
unlikely to ever happen (would they share their zero days with MS ?) Of all
the applications out there, do they get zero day information from any other
vendor such as Sun, IBM, HP, Apple etc, again I think not.
My original email, was to get a wider well informed view of opinions on the
subject to determine if my belief was right / wrong.
So I guess my opinion in conclusion still stands, that ANY software vendor
who looks to add additional layers of security (free or not), it (IMHO) is
not a conflict of interest and serves the end user well. By what ever means
necessary, it should be the responsibility of the vendor to include / offer
increased 'peace of mind'.
Thanks to all those that contributed
All the best
Mark
