When Buying Security Products Which Is Better – Full Disclosure Or Black Box?

While it may seem like computer security is one big field that really has only one job type that certainly is not true. The field of computer security is a very complex field and it has many different factors to it. And being that its very nature has many factors, that also means that there are a lot of opposing factions as well. There are a lot of different ideas on how things should be done in the computer security field and there is no easy answer. The only way you are able see which answers are right or wrong is when the end solution works or not. And even then they might not be the final answer because it can then come down to both solutions working but which one was able to work the best.


This also extends to the security products that we use every day. There are a lot of security products out on the market right now and not everyone has the same idea on which way is the best technique. It does not matter which security product you are talking about, which each implementation there is going to be a different solution to get it to work. One of the biggest wars that people have when it comes to getting things done in the computer security world is whether the process should be open or should it be closed. The official terms are whether the process should be black boxed or should it be a fully disclosed process.

When we say fully disclose we mean that the way that the process is done is known to the public. You might not get the exact implementations of how the technique is figured out but you do get the technique itself. The advantage to this is that your customer and the experts that are out there are able to tell whether you are doing a good job or not. And they can tell if you are really effective when it comes to your technique. Of course the downside is that the bad guys are able to learn the technique as well and they are able to plan against it. But in reality only the top tier black hat hackers would be able to accomplish that.

On the opposite end the term black box means that the company makes their security product and they do not let anyone know how it works. They just promise that when the product is implemented it will be able to work and work well. You will just have to trust them. This technique is not unheard of in the software world and as a matter of fact it is probably the way that most software implementation is done. But it does have its detractors because there are people out there who believe that you might be missing serious threats and not even know it. And this happens because there is no oversight on the product. Of course this also means that the bad guys have to guess as well. If the bad guys want to be able to solve the problem they would have to reverse engineer the software. Something a lot of black hat hackers are used to anyway.

These are two techniques that will both be criticized and praised without ever finding the right answer. It all depends on the person when it comes to which one they want to implement. If you are in charge of computer security at your business or office then you have to pick the technique that you are most comfortable with.

photo: Abode of Chaos

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind