I was excited when Dr. Crispin Cowan joined the company a while back - what security person wouldn't be!  As one of the key drivers behind StackGuard, Linux Security Modules and co-founder of Immunix, which produced AppArmor - few people are as qualified as Dr. Cowan to talk about security features and security boundaries.

So, when he asks "Is UAC a convenience feature, or a security feature?", I would say it is worth reading at least twice.  And if my recommendation is not good enough for you, let me share this quote that might entice you to go read the whole thing:

It is correct to say that UAC’s features are convenience features, in that it is much more convenient to respond to a UAC prompt than it is to have to switch to a separate desktop, log in as an administrator to do the administrative tasks, log out and then return to your standard user session. Whether one views a UAC prompt as a convenience or a nuisance depends on whether you compare it against running as a Standard User, or against running as a full Administrator: vs. running as Standard User UAC is a convenience feature that compromises security, but vs. running as an Administrator as was the default in XP UAC is a security enhancement.

But does that mean that UAC is not a security feature? No. UAC, in all of its forms, including Silent Mode, provides some obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything but a security feature.

Of course, it is always nice when someone shares your own opinion.  As I've said in the past, security features do not have to be perfect in order to provide security value.  UAC definitely falls into that category.  And, as is my wont, I'm now going to go off and see if I can find some (imperfect, most likely) way to measure that value...

Regards ~ Jeff

Brad Feld turned me on to this interview of Dave Cowan of Bessemer Ventures on Red Herring TV.  Dave and Brad have co-invested in several deals, Postini being one of them.  Dave speaks about his recent involvement in a 100+ million dollar round in Perimeter Securtity, the MSSP aimed at mid-market and SMBs.  Dave and Bessemer have invested in many security companies over they years and he has a well honed view into the space.  His comments are that security is saturated at the top of the pyramid, meaning the Fortune 2000 and large government accounts.  He thinks the real opportunity is at the mid-market.  Not surprising given his recent Perimeter investment.

From my perspective though, I have to agree.  I think the mid-market is a much more dynamic marketplace for security.  You know what they say about the Fortune 500? There are only 500 of them.  Anyway, here is the interview, but be advised the security talk is only for about the first half of the show.  The rest is on VC stuff.

Brad Feld turned me on to this interview of Dave Cowan of Bessemer Ventures on Red Herring TV.  Dave and Brad have co-invested in several deals, Postini being one of them.  Dave speaks about his recent involvement in a 100+ million dollar round in Perimeter Securtity, the MSSP aimed at mid-market and SMBs.  Dave and Bessemer have invested in many security companies over they years and he has a well honed view into the space.  His comments are that security is saturated at the top of the pyramid, meaning the Fortune 2000 and large government accounts.  He thinks the real opportunity is at the mid-market.  Not surprising given his recent Perimeter investment.

From my perspective though, I have to agree.  I think the mid-market is a much more dynamic marketplace for security.  You know what they say about the Fortune 500? There are only 500 of them.  Anyway, here is the interview, but be advised the security talk is only for about the first half of the show.  The rest is on VC stuff.