At the IT Security World conference on Monday, Window Snyder, the security chief at Mozilla Corp., gave a keynote on multi-layer defenses. The core news emerging from her talk is that Apple Inc., rivals only to Microsoft in operating system market share, needs to be more open with how it handles security.
Snyder is a “big” Apple fan, she says, “but one of my big problems with Apple is we don't get to hear what they're doing with security. I'd have a lot more confidence if they would communicate that stuff.”
This has always been the case with Apple, which recently released another round of security fixes for its OS X platform. Often the complaint you see from reporters and security experts is that too little information is released when discussing security problems on Apple-branded products. There are issues with how patching is handled and some security researchers refuse to work with the company because vulnerability reports are often ignored or nothing is done about emerging issues.
In 2007, Thor Larholm, a noted security expert who discovered issues in Safari for Windows within two hours of release, made his opinions clear by saying:
“Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser...”
Apple has made some improvements in the way it talks about security. Yet, unlike Microsoft Corp., Apple does not offer security-only insight into its products, nor does it discuss processes and planning when working on new security features or services.
Examples of the sealed-lip ethos portrayed by Apple's security team can be confirmed by their own wording, which states:
“For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”
The recent update to OS X addresses security issues that Apple never informed end users of ahead of time, instead opting to leave them vulnerable until the next patch cycle. Even then, users are given only the basics about the security issue, and nothing more.
“They have a real opportunity there to show the rest of the security industry what they're doing because I think they are doing good work,” said Snyder, adding that it is painful when end users have to rely on marketing to know if something is secure or not.
So, will Cupertino-based Apple open up and become more informative?
It's highly unlikely, not least because it has made keeping secrets and building hype almost an industry standard. Why would security matters be any different?