Something I used to think about during my tenure as a graduate student in computer security: has anyone written the definitive book/study/dissertation on why security incidents happen?
As mentioned elsewhere in this thread, it's a very complex problem involving operational, economic, and technical factors, suggesting (as others have mentioned) it's not something that really can be "sold". Watching bugtraq for a while, I saw a lot of pure tech exploits (buffer overflows, SQL injection, other silly things like that) but also quite a lot of misconfiguration -- insecure passwords, lack of an enforced password policy, employees leaving the company without revocation of their credentials, etc.
Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?
For your example, this happens to be relatively simple. The design is boolean - "Let the corporate network be accessible to the outside world? Y/N" and this is almost universal to implement because network access works the same way almost everywhere. What you're doing is essentially whitelisting access - you can simplify that to an algorithmic problem and solution space.
Web applications are not the same way. For example, enforcing policy restrictions between users of different permission levels suddenly becomes a custom project depending on what each user can do, what the application does, what functionality is mapped to different permissions, etc...it is not as simple as whitelisting. It is highly contextual.
Unfortunately, web applications are also where most vulnerabilities are found, not the network (at least not anymore).
>Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?
This is already a very big part of the security industry. Countless companies and products (claim to) do this.
As mentioned elsewhere in this thread, it's a very complex problem involving operational, economic, and technical factors, suggesting (as others have mentioned) it's not something that really can be "sold". Watching bugtraq for a while, I saw a lot of pure tech exploits (buffer overflows, SQL injection, other silly things like that) but also quite a lot of misconfiguration -- insecure passwords, lack of an enforced password policy, employees leaving the company without revocation of their credentials, etc.
Maybe a good commercial opportunity would be policy compliance checking tools. Imagine a simple policy like "the corporate network should not be accessible from the outside world". Would it be possible to check all firewalls/routers/NATs/etc. for compliance with this policy?