My journey into security

By John Viega
November 17, 2008

This is my first blog post on O'Reilly. I thought I would start out with some background on myself, and then give a high level overview of the kinds of things I'm going to be blogging about.

When I was in college, I worked on the Alice project, run by Randy Pausch, of Last Lecture fame. Alice was a system for virtual reality and 3D graphics-- working on it got me the few cool points I had in college. But, the primary goal of Randy's project had nothing to do with virtual reality, or being cool. It was all about making computer programming easy to use. Randy wanted any high school kid to be able to write their own computer games, without having to be computer programmers. In the journey, they might learn how to program.

After I got over the cool factor of fighting droids with a real light saber in a virtual reality environment (you held a flashlight in your hand, but it looked like a light saber in virtual reality), I found I wasn't actually all that passionate about computer graphics. But, Randy had definitely gotten me excited about making things easy for average people.

My first introduction to Randy came when I took his class on Usability Engineering, which was about making software products that are easy to use. I was struggling with whether I wanted to go into the computer field at all. I knew I could program, but the previous coursework I'd taken had almost scared me off because it kept me dozing off... classes like Fortran and Discrete Math.

But on the first day of class, Randy showed us a VCR, and talked about how difficult it was to do simple things, like set the time. He talked about how the buttons were all clumped together in ways that made it difficult to distinguish what was what. He got everyone sharing their frustrations with their VCRs, and with plenty of other common things, such as light switches that don't turn off the light you think they should, or doors that you think you should push, but actually require you to pull.

Then, Randy put on goggles, pulled out a sledgehammer and beat the crap out of the VCR. And then he proceeded to destroy other donated devices with shoddy user interfaces.

That inspired me. It made me realize that the entire consumer electronics industry and the computer software industry were all fundamentally broken, because they weren't really providing people with good experiences, just passable ones. It seemed that everywhere I looked, people making products were assuming they knew their users, without spending enough time talking to them. Nearly 15 years later, very little has changed... the average user is still an afterthought. I've worked with many "product managers" who are supposed to figure out what to build, and I've only met one or two who spent any significant time with their users. Most work on things that should seem less important than embracing the customer in the grand scheme of things, like helping support sales efforts, or building marketing material.

Once I got out of college, I switched immediately into the security field, where I've been for about 10 years now. This was a field that was easy to get passionate about, because bad security was clearly having a negative impact on the world. More or less everyone I knew that ran Windows had some horror story about a virus deleting their files, crashing their machine or otherwise doing something to sap productivity. I'd already seen in college the impact of software flaws on machines connected to the internet, having seen hackers delete content and render machines unusable, all because of some incredibly subtle problem in code written by some third party.

Very quickly I got up to speed on the field, then started doing my best to have an impact. Along with Gary McGraw, I wrote the first book on writing secure programs (Building Secure Software, 2001--we are finally looking at doing a long overdue revision), and a few others (I'm particularly proud of the Secure Programming Cookbook). Then I started a company called Secure Software, which built tools to automatically find security problems in programs by looking at the code developers write (that company got acquired by Fortify, and I am now on the Fortify advisory board).

I then took a job as Vice President, Chief Security Architect at McAfee, who would like you to know they're the world's largest dedicated IT Security company (Symantec is several times larger, but they do a few things that aren't security, allowing McAfee to make the claim with a straight face). After a couple of years of doing a lot of merger and acquisitions work, plus managing the engineering of most of the core technologies that are shared across McAfee's products (such as the anti-virus engine), I got to the point where I felt that I wasn't going to be able to do much more from my big company vantage to try to change the world in a positive way, so I struck out to do a startup.

Anyway, ten years later, the security world doesn't seem much better for my efforts. In fact, in many ways, things have gotten worse. Sure, in part this is because lots more people are on the Internet, and computer security is an incredibly difficult thing to get right.

Still, everywhere I turn in the security world, I see, as my friend Mark Curphey likes to say, "Security Bulls**t". This industry not focused on providing users a good experience with their products. But, even worse, it is not really focused on providing the more secure experience that is implicitly promised.

For instance, look at the bedrock of the computer security industry, the piece that more or less everybody feels they need to have--Anti-Virus (AV). Nobody thinks that AV solutions work very well. And, for the most part, they are right. These solutions are often 15 years old, and simply don't do a good job. The major players could have been doing a much better job for a long time, but inertia has kept everyone running crapware that takes up too much of your system's resources to stop probably less than half of all potential infections.

Like Randy Pausch smashing a VCR, I'd like to help people realize what is wrong with the industry, hoping to inspire at least a couple of people to put people first in their business pursuits in the security world.

I don't think it's a futile cause. While I don't believe that there is a "silver bullet" for security, I do think that end users should be getting a lot more for their money, by getting a better experience (e.g., AV that doesn't slow down their computer) and better security (e.g., AV that is more than one step above "worthless"). I do think there are powerful economic incentives that keep security companies selling you fear instead of peace of mind. In fact, we'll see that it is often security companies making you less secure.

Thanks to Tim O'Reilly and team for giving me this soapbox. As I get going here, I'll try not to just focus on fixing the security industry, but also looking at a few of the places where the security gets it right.

You might also be interested in:

News Topics

Recommended for You

Got a Question?