Why security by obscurity is a double own goal

We all “know” that security by obscurity is a “bad thing” but why is it? And why is it a double own goal for a security company?
Simplistically the world of security can be broken down into 2 groups of people (reality is there are a few shades of grey - but they are a small minority):
  • Good Guys - people who want the security system to work and aren’t focussed on subverting the system - if you are a security company these people are known as customers and customers’ customers
  • Bad Guys - people who want to get past the security system

So what does security by obscurity do to your customers … hides information from people who need to know how to operate or purchase your system. If the customer knows anything about security they are instantly suspicious that the system is weak - otherwise why hide the details. It also means that getting important information about operating the system is harder to get; a major disadvantage in a crisis.

On the other hand the bad guys will spend whatever time is justified to break your system. If it pays them to do it they will expend the time to reverse engineer your system. What determines how much time is justified is what the system protects - how much money can be made or bragging rights they can gain. So obscurity just added a small hurdle to them.

Security by obscurity makes it hard for your customers and adds the tiniest amount of difficulty to motivated opponents.