Chapter 14. Monoculture and Product Security

The term monoculture is taken from agriculture—meaning to grow one crop exclusive-ly—and usually it is considered a bad practice. The reasoning behind the negative connotation is if the same kind of crop is grown exclusively (that is, the same variety of corn or wheat) and a disease, infestation, or other problem befalls it, the entire crop will be affected and the land will yield nothing. People have learned this lesson the hard way, and farmers make sure they don’t repeat the same mistakes by diversifying crop they are growing.

The monoculture concept also applies in the context of computer security. Probably one of the better-known instances where it is examined is in the article, “CyberInsecurity: The Cost on Monopoly,” by Dan Geer, et al., published as a Computer & Communications Industry Association (CCIA) report in 2003. In the article, it is argued that if an organization depends solely on a single vendor, any security problem affecting that product affects the entire organization. The article talks about Microsoft in particular, but the argument is applicable to any situation of that kind.