Comments on: Security And Market Forces

by: Tom Van Vleck

Wed, 12 Mar 2008 01:36:15 +0000

I can’t come up with a number for how much money I spend on car safety every year. When I buy a car, I pick the safest I can afford, but my choices are limited. I might have to buy new tires, but I can’t quantify how much safety I get per dollar. I think computer security is in the same situation. (Or worse. Cars have federal safety standards, and if someone tried to sell a completely bogus safety add-on, he’d be arrested.)

As a customer, you can’t spend money on computer security. The system vendor has to have spent that money at design time and during implementation. If they underspent, it’s too late to fix it.

The sad truth is that people don’t want to pay for computer security. (Or automobile safety. Read the drunk driving stories in the newspaper.)

I think we *do* know what to do about security. Why are people still writing operting systems in C?

John asks “How are we really going to get enough security knowledge in the hands of developers to change their behavior in a sustainable way?” and the answer is clear: stop rewarding bad behavior.

“Code analysis” is good but cannot be applied to random code written by strangers. It only makes sense as part of a comprehensive theory of how a product will be assured to a desired level.

A long time ago my friend Roger showed me his plan to write a file system. I forget the exact numbers: say six months of coding and six of debugging. I said, “Let me get this straight. You are going to write mixed good code and bugs for six months, and then spend six more taking the bugs out.” Roger said, “Gee, when you put it like that it sounds sort of dumb.”

by: -jOHN

Fri, 07 Mar 2008 15:06:02 +0000

Tim,

I’ll let the next 12-24 months of ‘history’ show us where static analysis goes. But, I appreciate your more punchy final paragraph. Looking at mine, I was implying the same, and challenging not only those that design systems but also those that help companies deploy security methods to think harder about solutions that wouldn’t be seen as silly.

You and I worked together, once long ago at Cigital. At the time, Cigital’s researcher would have rousing conversations about how to use their own thoughts in concert with research that had come prior to make things better. The good news is that I finally feel surrounded by a critical mass of people 1) aware enough of what’s come before them and 2) in possession of enough mental horsepower to apply it to today’s software technologies.

…better yet, I’m finding some of their “rare gem” types in client organizations!

by: Tim Hollebeek

Fri, 07 Mar 2008 00:01:31 +0000

People can evangelize about static analysis, developer education, and so on all they want, but look at Microsoft’s experience: even vast investments in these techniques provide only marginal improvements. Meanwhile we build systems with direct Firewire connections to DRAM so that everybody can save the hassle of having to acquire liquid nitrogen in order to read each other’s disks.

The problem is we don’t know how to design and architect secure systems of the size and complexity that customers need. And until we learn, they’re going to continue to laugh at our silly efforts to provide unworkable patchwork solutions that are expensive and don’t pay off in the end.

Evangelism is fun, and we security guys are pretty bright, so we have a hard time admitting that sometimes the guy in the room wearing no clothes is us.