IEEE S&P: Securing Online Games (vol.7, no.3)

IEEE Security & Privacy magazine remains the most important trade periodical on security published today. Though the content is on rare occasion esoteric, the magazine is always technically accurate and detailed. Only a peer reviewed publication can offer readers a look at computer security as a science. Think of it as applied academics.

I am pleased to announce that IEEE Security & Privacy magazine’s May/June 2009 edition was recently released. The issue (volume 7: number 3) covers Securing Online Games in a series of four peer reviewed articles that help define the state of the practice.

For more about the issue, see: http://www.computer.org/portal/site/security

Also in the same issue is a print transcript of Silver Bullet 36. That’s the episode where James McGovern turned the tables and interviewed me. That transcript is on the web here.

Beautiful Security

Also of note is a book of thoughtful essays on security put together by John Viega (once a Cigitalite) and Andy Oram. Here’s my original blurb from the back cover:

“This collection of thoughtful essays catapults the reader well beyond deceptively shiny security FUD (the drum major of the bug parade) toward the more subtle beauty of building security in. Security is an essential emergent property for all modern systems—something that most people implicitly expect and few people explicitly receive. This book demonstrates the yin and the yang of security, and the fundamental creative tension between the spectacularly destructive and the brilliantly constructive. Read. Learn. Emulate.”

I’m still working my way a second time through the assembled essays from security stars including mudge, Betsy Nichols, Phil Zimmermann, Mark Curphy, and Jim Routh. This is a must read for 2009.

I just published a little ditty on Twitter security that is bound to get some interesting feedback. My bet is that much of the feedback is less than 140 characters long!

My friend Joe Faber (of Spaghettios fame) sent me this Youtube video, which I think sums up Twitter nicely:

Your longer feedback is welcome below!

For the past three years, I have collected and published revenue numbers from tools and services in the software security space. Here are pointers to the three resulting articles, including this year’s NEW article (for 2008):

• informIT (2008): Software Security Comes of Age: Space approaches $500M threshold
• informIT (2007): Software Security Demand Rising
• Darkreading (2006): Want Turns to Need

Before some observations, here is a pretty picture showing growth over time, divided among tools, services, and pizza boxes. Cigital remains the largest independent software security services company. For more details, see my informIT report.

Probably the most important development in 2008 is that the space as a whole is nearing a very important $500M threshold. At this level of business activity, the technology analysts start to take a big interest. This creates a feedback loop of sorts as the middle market engages. Some evidence of this effect:

• Gartner analyst Joseph Fieman published the FIRST Gartner magic quadrant for the tools part of the software security space this year.
• Chenxi Wang from Forrester published a Q4 report on the future of software security (registration supposedly required)

Other analysts of note include:

• Ramon Krikken from Burton Group
• Charles Kolodgy from IDC
• Nigel Stanley from Bloor Research

I will continue to track growth and development of software security over time, but I am very pleased that the analysts are pitching in. As software security matures and the middle market emerges, we will start to have an important impact on the rest of computer security.

Yesterday we released the second episode of the Reality Check Podcast. This month’s victim is Jim Routh, CISO of Depository Trust Clearing Corporation (DTCC). DTCC has a very advanced software security initiative that is well worth learning about. We talk about that in this interview. Have a listen!

I’m also pleased to announce that CSO online has syndicated Reality Check and will be distributing the podcast to their CSO audience. You can find the first episode with Steve Lipner here.

And Jim’s episode here.

OWASP just posted an interview with me as part of their budding podcast series. It’s nice to have the tables turned after doing all the Silver Bullet (and Reality Check) interviews! It’s also nice to be able to answer some of the questions that OWASP types have about Cigital’s approach to software security.

Download the podcast here.

The OWASP interviewer is Jim Manico, and he did a great job. He was a little worried about some of the questions he asked. In fact, off the record he kept saying he was sorry and telling me that I did not have to address certain questions. Personally, I enjoyed the questions he asked immensely. Though some of his questions were loaded, I do hope that my answers may serve to clarify our position and eliminate OWASP concerns.

Here are a few of the many more questions I address in the podcast:

• Why do you insist on use of the term “software security” as opposed to “application security”?
• What is static analysis good for and what is it no good for?
• What is the exact relationship between Cigital and Fortify?
• Why do you think your “top 19” is any better than the OWASP top 10 or the CWE top 25? (Special note, the 19 Sins work is Mike Howard’s and John Viega’s…I was not involved.)
• Why does Cigital have a proprietary approach to IP?
• What makes the Touchpoints any better than the SDL or CLASP?
• What is your relationship with Allan Paller and SANS?
• Who picked the “porn music” theme for Silver Bullet?

As an extra bonus, the theme music for this episode is a song written and recorded by my band Where’s Aubrey.

Anyway, enjoy the podcast, and let me know what you think about my answers!

More links:

• Show notes
• MP3
• OWASP Podcast RSS Feed
• Direct iTunes link

On January 12th, the CWE/SANS Top 25 Most Dangerous Programming Errors list was released. Sean Barnum (a Principal Consultant) participated in the creation of the list, and I did some off the record review myself (not for attribution).

There are some important good things about top ten lists that are worthy of mention. The notion of knowing your enemy is essential in security (as it is in warfare), and top ten lists can help get software people started thinking about attacks, attackers, and the vulnerabilities they go after. These days almost any attention paid to the problem is good attention, and the fact that the technical media is paying attention to software security at all is a good thing. Top ten lists help in that respect.

But I have some serious concerns about these kinds of lists that I wrote about in my informIT article this month:

Top Eleven Reasons Why Top 10 (or Top 25) Lists Don’t Work

Here are the reasons, stripped of history and commentary which you can find in the article:

1. Executives don’t care about technical bugs.
2. Too much focus on bugs.
3. Vulnerability lists help auditors more than developers.
4. One person’s top bug is another person’s yawner.
5. Using bug parade lists for training leads to awareness but does not educate.
6. Bug lists change with the prevailing technology winds.
7. Top ten lists mix levels.
8. Automated tools can find bugs–let them.
9. Metrics built on top ten lists are misleading.
10. When it comes to testing, security requirements are more important than vulnerability lists.
11. Ten is not enough.

I’m happy to announce the launch of my new podcast, the Reality Check Security Podcast with Gary McGraw:

The Reality Check Podcast with Gary McGraw focuses directly on software security practitioners and practical software security. Reality Check’s sister podcast, the Silver Bullet Security Podcast with Gary McGraw, follows a free form interview style tailored highlight the ideas and experience of security gurus. By contrast, Reality Check is concerned with practical questions centered on running large-scale software security initiatives in the real world.

Reality Check targets experienced leaders working to solve software security problems in large organizations every day. We use a standard script to guide each conversation with questions about history, methodology, best practice, and measurement. We plan to interview leaders of mature software security programs and leaders of programs just getting started.

Your feedback is absolutely welcome. Please subscribe to the series through or RSS feed or through iTunes.

Brian Chess, Sammy Migues and I have been building a maturity model for software security. We decided to base our model on data gathered by interviewing 9 top software security programs. We developed a framework to guide a series of interviews for data acquisition.

Though we have not completed the maturity model (analysis continues apace), a number of surprises bubbled up from the data soup. We wrote them up in an article that we thought you might find interesting.

Though our approach is only “science-y” and may well be closer to anthropology than computer science, we do think it’s important to focus on what works in the real world. If you have any questions or comments about our study, we welcome contact.

Two of Cigital’s thought leaders, Paco Hope and Ben Walther, just published a new book from O’Reilly called the Web Security Testing Cookbook. I wrote the foreword for the book which is reprinted below. More information about the book can also be found on Facebook.

Web applications suffer more than their share of security attacks. Here’s why. Websites and the applications that exist on them are in some sense the virtual front door of all corporations and organizations. Growth of the Web since 1993 has been astounding, outpacing even the adoption of the television and electricity in terms of speed of wide spread adoption.

Web applications are playing a growing and increasingly prominent role in software development. In fact, pundits currently have us entering the era of Web 3.0. The problem is that security has frankly not kept pace. At the moment we have enough problems securing Web 1.0 apps that we haven’t even started on Web 2.0, not to mention Web 3.0.

Before I go on, there’s something I need to get off my chest. Web applications are an important and growing kind of software, but they’re not the only kind of software! In fact, considering the number of legacy applications, embedded devices, and other code in the world, my bet is that web applications make up only a small percentage of all things software. So when all of the software security attention of the world is focused solely on web applications, I get worried. There are plenty of other kinds of critical applications out there that don’t live on the Web. That’s why I think of myself as a software security person and not a Web application security person.

In any case, Web application security and software security do share many common problems and pitfalls (not surprising since one is a subset of the other). One common problem is treating security as a feature, or as “stuff.” Security is not “stuff.” Security is a property of a system. That means that no amount of authentication technology, magic crypto fairy dust, or service-oriented architecture (SOA) ws-* security API will automagically solve the security problem. In fact, security has more to do with testing and assurance than anything else.

Enter this book. Boy, do we need a good measure of web application security testing! You see, many “tests” devised by security experts for web app testing are not carried out with any testing rigor. It turns out that testing is its own discipline, with an entire literature behind it. What Paco and Ben bring to the table is deep knowledge of testing clue. That’s a rare combination.

One critical factor about tests that all testers worth their salt understand is that results must be actionable. A bad test result reports something vague like “You have an XSS problem in the bigjavaglob.java file.” How is a developer supposed to fix that? What’s missing is a reasonable explanation of what XSS is (cross-site scripting, of course), where in the bazillion-line file the problem may occur, and what to do to fix it. This book has enough technical information in it for decent testers to report actionable results to actual living developers.

Hopefully the lessons in this book will be adopted not only by security types but also by testing people working on web applications. In fact, Quality Assurance (QA) people will enjoy the fact that this book is aimed squarely at testers, with the notions of regression testing, coverage, and unit testing built right in. In my experience, testing people are much better at testing than security people are. Used properly, this book can transform security people into better testers, and testers into better security people. Another critical feature of this book is its clear focus on tools and automation. Modern testers use tools, as do modern security people. This book is full of real examples based on real tools, many of which you can download for free on the Net. In fact, this book serves as a guide to proper tool use since many of the open source tools described don’t come with built-in tutorials or how-to guides. I am a fan of hands-on material, and this book is about as hands-on as you can get.

An overly optimistic approach to software development has certainly led to the creation of some mind-boggling stuff, but it has likewise allowed us to paint ourselves into the corner from a security perspective. Simply put, we neglected to think about what would happen to our software if it were intentionally and maliciously attacked. The attackers are at the gates, probing our web applications every day.

Software security is the practice of building software to be secure and function properly under malicious attack. This book is about one of software security’s most important practices—security testing.

—Gary McGraw, July 2008

I have been known to take the Web application security community to task for a myopic focus on Web and Web only. Being constrained by HTTP does serve to make things pretty easy! Lately, I have adjusted my thinking.

Jeremiah Grossman and I cross paths out there on the evangelism circuit pretty often and have talked about Web app security versus software security many times. Jeremiah is a great guy, and always willing to listen and think carefully. It was only natural that he would end up as a Silver Bullet victim.

Episode 32 of the Silver Bullet Security Podcast features a chat with Web security guru Jeremiah. Among other things, we talk about the relationship between Web app security and software security.

Near the end of our conversation, we raised the idea of whether all Web security problems have analogs in the software security space and what that might mean. After thinking more about that issue, I made it the subject of this month’s informIT column.

In the end, Web application security is important, but we must be careful not to overemphasize the solutions that work only for Web apps and forget about the rest of software out there. In the meantime, we have plenty to learn from each subdomain.