Application Security: Instant messaging and Mobile computing

Business week published articles on adoption of two new models centered around application security. There appears to be tremendous potential for vendors in this space. What does not make sense is when Software applications and (web) services introduce new loopholes and these models thrive on closing those loopholes. I don’t appreciate the inter-dependency. Instead, I would like to see companies who build these applications and services to fix the loopholes and offer monitoring and prevention services. This would imply that the associated cost to the customer may rise, but I don’t see why companies cannot guarantee the integrity of their systems.

Do not misunderstand me – selling your knowledge of exploits and vulnerabilities is not what I argue against. Instead, I would like to see the responsibility of fixing and prevention lie with the maker. I also realize that “dumb” users are a hard problem and are the source of many issues. I am specificially aiming at exploits that target design weaknesses (for example, being able to ‘hijack’ the host machine threw a instant messaging application). Similarly, handset provider Nokia and Symantec sell anti-virus solutions to the end user, while I would think every PC or mobile platform should already ship with these services built into the the platform.

IM Security is one tough sell. The article discusses companies (startups) in the business of providing monitoring and prevention of attacks over IM networks.

Mobile viruses, if not now soon. The article discusses the threat of viruses infecting mobile information systems, handsets and the potential for disruption and spread.