Security software includes risks - Why you should ideally not use security software

Reto Bollinger Feb 11, 2020
Security software includes risks - Why you should ideally not use security software

Every now and then the question arises whether we at nine use one or the other "security software". This refers to solutions (like antivirus programs and personal firewalls) that "magically" ward off all threats and malware. Preferably also with the use of Machine Learning and Artificial Intelligence. Such remedies are sometimes also called "snake oil" (

No, nine does not use "snake oil".

The reason why we do not use "snake oil" is simple: Our goal is to know what we are doing. "We know what we are doing" might sound a bit presumptuous but that is actually the reason.

Our systems are therefore designed to be "simple" in order to provide as little surface to attack as possible. The systems can, therefore, be monitored and managed more easily. Additional "security software" of any kind can only be complex as it must be able to generically cover all possible attack vectors.

However, complexity is exactly the core of the problem: With the degree of complexity, the potential for possible errors in the implementation automatically increases. Errors in the implementation are in turn potential attack vectors. Thus a system with such "security software" has additional potential attack vectors compared to a system without "security software".

There are, however, a few more considerations to be made. It may be that you have to secure a complex system that you do not understand sufficiently. In this case, it may be justified to increase the complexity by installing "security software". This is because such "security software" focuses on the known attack vectors and can secure these specific attack vectors. Especially if the system is sufficiently complex, it is therefore possible that the "security software" covers attack vectors that could otherwise be a serious threat to the system. Nevertheless, the entirety of a (complex or simple) system together with (complex) "security software" has additional potential attack vectors. The "security gain" thus relates exclusively to known attack vectors.

In short: simplicity beats complexity. Or even simpler: Know what you're doing. This is not just "paranoia" but has just been proven not too long ago: 

Reto Bollinger

Information Security Officer @ nine