Security professionals seem to have a strained relationship with Apple these days. Any trip to a security conference shows that more and more security professionals are using Macs on a regular basis. A not-insignificant percentage of the high-end industry types I know shows they all use Macs and iPhones; at home if not at work, often against corporate policy.

Yet Apple’s view on security is very… 2001. They do not follow a security development lifecycle. Marketing seems to play too strong a role in security decisions, especially when dealing with researchers. They never finished most of the security features of Leopard, and some products (especially QuickTime) are running at very high vulnerability rates.

The first thing we need to get out of the way is that Macs are currently safer to use than Windows XP, even if they aren’t as secure. There just aren’t as many exploits out there in the wild. Vista is more secure, but I find it unusable. This can, and will, change over time as Macs continue to rise in popularity and become a bigger target.

Thus, as a security professional I have mixed feelings about Apple. I feel somewhat hypocritical about supporting a company that doesn’t prioritize my bread and butter, but I’m not overly pleased with Window’s UI failings or Linux’s peculiarities. I’ve made the decision to pick the OS that best fits my work and productivity needs, then do what I can to improve the security of the platform.

Which gives me three options:

  1. Work for Apple. They haven’t called and I’m not waiting.
  2. Discover and report vulnerabilities, hoping they’ll get patched. I suck at this, so not the best option.
  3. Criticize and constantly pressure them in public, hoping to embarrass them into change. They’ll call me a raving loon, then ignore and marginalize me.
  4. Actively engage with the Apple community, give Apple credit for what they get right, and point out where they get things wrong while educating Mac users. This hopefully gains me enough credibility that they can’t simply dismiss me as anti-Apple and I can help the Mac community pressure Apple for needed change.

Apple is far from perfect and their security needs a ton of work, but I’m taking a reasoned approach and hoping that by engaging and educating their customers (and thus Apple, indirectly), we can spur change.

On that note, I’m off to the Macworld Expo show floor to meet with various vendors (including security vendors) and to play with my new iPhone (yes, I’m weak).


p style=”text-align:right;font-size:10px;”>Technorati Tags: