Security Theatre

I've long been a fan of Sun Tzu because I believe that knowing how an opponent thinks is crucial to knowing how to deal with them. I've also held the view that a significant part of the security industry that exists today does so solely because of the actions of a single company. The prevailing view in the IT industry has been get to market first at all costs and the ongoing effect of this is that anything that is seen as slowing down the delivery of the next MVP is a problem... so the first things to go in time critical projects are security and testing. Our target market becomes our test bed whether they like it or not.

But what happens when security issues start piling up? In this case Sun Tzu teaches us about the use of deception to weaken your target. So if you have a weakness you just pick a target and imply they have the same or greater issues... e.g. whip up a media frenzy implying that every security issue with open source is a problem with linux because they are the same thing... right? 

Well, no, as an article on Techrights about conflating security issues and diverting attention away from ones own failings shows. Open source is by no means immune to development pressures but at least the community can (and do) rally around and quickly provide fixes to identified problems. 

We know from experience that the more that Microsoft products get integrated the bigger the atttack surface gets and the greater the devastation that results... what makes anyone think it will be different when moving to MS products in the cloud?

Ruminate on that the next time your Govt department or business thinks that Azure is a good idea. Do you really want your data or business to be beholden to an offshore multinational with an ongoing record of security issues across multiple platforms?