(This is a guest post, contributed by Timothy Champagne, a consultant at Cigital.)

I have long been a fan of card games. During lunch breaks at work, my co-workers and I would often play such games to pass the time and socialize. I found myself thinking that this activity could not be unique to my office; countless others out there undoubtedly have similar routines. It occurred to me that there must be a way to harness this social gathering at work and turn it into a fun learning experience built around what I know best – software assurance and software security. After all, if people are going to play a card game, why not play one that can help ingrain the very ideas that Cigital has been trying to expound on for over a decade?

So I began designing Remediation, a card game that pits web application companies focused on generating revenue against the threat of malicious users focused on negatively impacting that revenue for their own nefarious motives. This is the very scenario that we encounter at Cigital on a regular basis and a theme that can easily transcend the commercial world and find relevance within the Federal space… an area of particular interest to me due to my work with the Application Software Assurance Center of Excellence (ASACoE) for the US Air Force.

Remediation has players compete to end up with the highest score while playing through real life software security scenarios. While taking on the role of either a company or a malicious user, the players take turns with the ultimate goal of playing the most revenue cards. The malicious users attack the company players with exploit cards, a SQL Injection attack for example, and score points in the form of revenue that the company loses by having their web application taken offline. The company players will then play cards, like a Database Restore, to recover from these attacks so their web applications return online and generate revenue for their own scores. Additionally, the company players can choose to spend some of that gained revenue to play cards that represent an investment into advanced security techniques that can prevent specific attacks against their applications, such as the game’s namesake, a Vulnerability Remediation card. At its heart, Remediation conceptualizes how various exploits could affect a web application and what measures would need to be taken in order to recover from these situations.

With its focus on software security themed gameplay, one of the primary goals for Remediation is for it to be useful as an educational tool. In today’s increasingly web-centric environment, it is more important than ever for developers to be able to think like an attacker and stay one step ahead of the threats that plague web applications every day; this game is designed to instill that mindset by presenting specific examples of how an attacker might target a system. As for managers, it is absolutely vital to understand how these risks might affect the successful conduction of business; the game works on this level by not only showing how these types of attacks can harm a company, but also how Cigital’s service offerings can help protect against these threats. By mirroring real life situations, Remediation strives to impart crucial skills that will help improve the players’ real world security posture outside the game.

Of course an additional goal would be to have a fun game with replay value so that the game could have a life of its own and introduce future players down the road to software security and how Cigital fits into this picture. Email us at remediationthegame@cigital.com if you’re interested in getting a copy of the game for yourself.

I have been tracking the software security market and publishing numbers since 2006. This year’s article is now available on InformIT: Software Security Crosses the Threshold.

See these past (mysteriously named) articles for data from previous years:

• InformIT (2008): Software Security Comes of Age: Space Approaches $500M threshold
• InformIT (2007): Software Security Demand Rising
• Darkreading (2006): Want Turns to Need

The Figure above shows in millions of US dollars how the four major segments of the space have grown since 2006, from a total of $293.9 million (2006) to a total of $554.4 million in 2009. Note that even stronger growth is evident midway through 2010.

Analysis and details are available in the informIT article.

I’m speaking at the 2010 Colloquium in Baltimore on Tuesday 6/8 on Cloud Security. Here’s the abstract.

Cloud Security: Don’t Be Late to the Party

Cloud computing is here to stay. No amount of security whining will stop the cloud, and yet as the cloud revolution sweeps IT it behooves us to pay close attention to security and privacy concerns. If, as everyone says, security is a process and not a thing, what processes and procedures do we need to put in place to secure cloud computing? How do you build security in to something that you don’t entirely control? These and other important questions are the focus of this talk. I will discuss: how cloud computing changes the nature of software design and development, the cloud security threat-scape, different flavors of cloud implementation and their security ramifications. Whether your organization is just kicking the tires or moving into more serious pilot projects, it’s never too early to begin addressing the changes cloud computing will impose. I will discuss what can be done today in terms of both technical and contractual mechanisms.

It’s hard to believe that the Silver Bullet Security Podcast has been running for 50 consecutive months! Silver Bullet has thousands of listeners, and it’s always fun to produce. Writing the script usually takes an hour or two, and requires some advance research from Brandi Ortega of IEEE S&P fame. Then we do recording (almost always over the phone) and post production mixing to add in the music.

For our 50th episode, we decided to shoot some HD video or our interview with Richard Clarke. Ryan and I bought some cheap digital cameras, (really importantly) some lights, and a “clapper” which we drove out to Arlington for the shoot. We recorded audio separately with boom mics and a USB mixer. Then came the video editing…

And the result? Check it out yourself here:

It amazes me what you can do for less than $1000 bucks with video these days. Shouts to Marcus Ranum for the photography advice. Thanks Ryan for the extra effort on this episode! And also thanks to IEEE Security & Privacy magazine for co-sponsoring the podcast.

We hope you like Silver Bullet, and we welcome your feedback on the Silver Bullet website. Subscribe today via RSS or on iTunes.

I just moderated a panel on security within Cloud Computing environments. Many of the questions from the audience were about how to trust cloud computing environments. Trust is such a loaded word and I couldn’t tell from the participants if they were looking for a bunch of bolt-on controls or something more holistic.

At RSA, the Cloud Security Alliance announced the Trust Cloud Initiative (TCI). The purpose of the TCI is to take the CSA guidance a couple of steps forward in defining trust by defining both a reference architecture as well as a way to certify cloud services.

There are three sub-groups working on the distinct areas of trust we believe are needed:

• Architecture – definition of the required security controls as well as the relationships, constraints and patterns of usage
• Certification – ways of discovering the security controls provided by particular cloud computing environment and measuring their ongoing usage
• Reference Implementation – working prototypes and demos of the architecture to prove out the architecture

More information the TCI can be found on the CSA website.

Anyone interested in volunteering their time to work in one of the subgroups can contact me and I’ll help you get hooked into TCI effort.

Turns out that Richard Clarke is a national security policy wonk. I guess that fact is not that surprising if you knew that Mr. Clarke was once an Assistant Secretary of State working on nuclear arms control issues during the Reagan years. The general public knows Dick best as a key figure in counter-terrorism who famously testified before the 9-11 commission and then became enmeshed in partisan battles. Those of us on the front lines cyber security know Dick best as one of the first political types to focus real attention on computer security. For that, we owe Dick a major thank you.

In his new book Cyber War, co-authored by foreign policy expert Robert Knake, Mr. Clarke confronts an important topic too often swept under the rug with the burgeoning pile of security FUD—the notion of cyber war. US citizens have every right to worry about cyber war given our risk exposure. The risks of cyber war and some of the potential consequences are impressively covered in the book and even include doomsday scenarios that are getting Dick into hot water with the hipsters at Wired. Consider how little North Korea depends on the Internet (ok, they are only barely scraping by as a society), then consider the same dependency in the US. See the problem?

One of the challenges of discussing computer security rationally in the Internet Age is that devastating consequences always seem hyperbolic, even when they’re not. Turns out that taking down the power grid with a cyber attack is not outside the realm of possibility. I’ve been told by people who actually engineer and run the grid for a living that inflicting permanent damage taking years to fix is more than possible given current design. Nor is the notion of an Information Warfare attack preceding “kinetic” involvement with explosive chunks of metal some kind of idea from Mars. One of the coolest stories in the book involves the Israeli destruction of the ill-fated Syrian nuclear facility. Scary? Yes. Hyperbolic? Not so much.

There are a few technical nits to pick, of course. Calling out the Estonian dDOS attack (most likely perpetrated by the Russians) as some kind of major cyber attack is a bit over the top. dDOS attacks are the stuff of script kiddies and solutions that thwart them are over a decade old. Most problematic of all is the overemphasis on network security mechanisms and ISPs as proposed technical solutions to the problem. I know Ed Amoroso (CSO of AT&T) believes that security defenses and monitors need to be put in place in the tier1 ISPs, and it’s very clear that he has convinced Dick of that. But as a computer security expert, I am skeptical of that solution. In my view, the only way we can properly address the cyber war problem is by attacking software security head on. Fortunately Dick says the right things about software vulnerability, demonstrating a nuanced understanding all too rare among politicals.

From a policy perspective, the ideas in Cyber War are fresh, new, and important. Dick’s mastery of arms control strategy comes to the fore when he discusses various ideas about cyber war non-proliferation. I must confess that my knowledge of such things is rudimentary at best. I wonder, probably naïvely, how we can think of controlling something as invisible as cyber attack capability (not to mention Trojan Horses and logic bombs) when we can’t even stop Iran from refining uranium like the complete nut-jobs that they are. But SALT II and START came from somewhere, and they have been a very good thing for the world.

Some of my foreign colleagues in computer security (but not all, see this posting from Italy for example) wonder why we are so obsessed with cyber war in the States. They are not sure why we are the only society openly discussing these things. Perhaps they hear the drums of war beating again as they did in the impressively-orchestrated and utterly-delusional run up to the Iraq war. More likely I think the answer to that question lies in understanding just how vulnerable we are in the States. We may not be the most wired country in the world from a consumer perspective, but we’re the most wired country in the world from a critical infrastructure perspective. Cyber war is a serious problem that calls out for serious solutions.

In final analysis, I think it behooves every computer security person to read this book and think through its points carefully. Even if you disagree with some parts of the book (as I do), we must do what we can as technically adept citizens to involve ourselves in the political discourse around cyber war. Dick does an excellent job getting the conversation started.

A long time ago, when distributed computing was in its infancy, and the promise of new technology made early adopters of us all, a fellow named Peter Deutsche found himself pulling out his hair. There was, he reasoned, an unimaginable amount of positivity about this new “distributed” technology. Accordingly, Deutsche decided to record the “Fallacies of distributed computing” for posterity. Almost twenty years later, I think there’s still a lot of learning to be done.

At Cigital, I lead the mobile and wireless practice, and I often find myself in the same position as Mr. Deutsche. As I’ve watched the mobile industry grow over the years, I’ve seen a huge amount of optimism placed on the hardware and software that we’ve all come to find indispensable in our modern lives — the cell phone.

While I still remain optimistic, I’ve decided to pen my own “Fallacies of Mobile & Wireless” list, to spark some discussion and to get the industry rolling on some positive (and sometimes painful) changes.

The list goes something like this:

1. The (network|handset) is reliable
2. The (network|handset) is secure
3. Bandwidth is infinite
4. Users will accept buggy software
5. Handsets are homogeneous
6. CPU is unlimited
7. Users understand the risks to their privacy and data
8. Everyone has the latest hardware

Before you judge me curmudgeonly, let me say this: I have nothing but the greatest optimism for mobile and wireless technology; the benefits I’ve seen far outweigh the costs. However, I feel that it’s time to really set the record straight on some of the awful compromises that have been made. This is the beginning of an 8-part blog where we’ll explore each one of these fallacies, and tease out some of the group think that’s led us to the situation we’re in today, as well as some of the concrete actions we can take to improve the lot of mobile and wireless from the security, privacy, and, dare I say, reliability perspectives.

Let’s dissect the first idea briefly.

“The network or device is reliable”

The idea that we can make phone calls, browse the web, read our email, or watch YouTube has become a cornerstone of our mobile lives. Most of the time, things work pretty well. The nasty thing is, we predicate all of these things on a mish-mash of software and hardware over which we have little control. Application developers all over the world have been counting on the fact that network connections can be made, SMS messages will arrive safely, and that, in general, there will be few or no errors to deal with in the field. While this approach works well for media consumption (a la YouTube), we’re moving into dangerous territory as we begin to have ubiquitous banking, social networking, and other privacy-laden applications show up.

My hat is off to the wireless providers the world over, as they have generally been doing a great job of connecting us to each other for more than a decade. The biggest trick is that our general use of mobile devices has been undergoing a gradual but ever-accelerating change. We’ve gone from simple voice calls to short messages, and from short messages to multimedia messages, and from there… Well, we’re very close to having a highly-converged IP-based backbone with mixed traffic and an even larger universe of devices which can access it.

Does this worry anyone else? I don’t normally find myself sleepless over technology-related issues, but I do wonder how well both wireless carriers and mobile phones will cope with this eventual evolution. From network issues in large urban environments (Apple iPhone in Manhattan, anyone?) to guaranteed connectivity in rural areas , we have a lot of work to do to catch up to the needs of subscribers and the businesses who publish mobile applications.

The idea that mobile and wireless applications can simply abdicate their responsibility for error handling is quickly coming to an end. I hope that we’re ready for the tidal shift that will require us to learn our lessons all over again.

My Saturday US Mail delivery (so sad if it goes the way of the dodo bird) arrived with several notifications of class action lawsuits for companies in which I’ve held equity positions. As I walked back from the mailbox, I had the thought:

HIPAA and PCI protect the consumer, but who/what is protecting the business that must comply?

I was thinking about all of the audit controls that get put in place to comply with these regulations. The controls are generating data that is going to be used to in one of these lawsuits someday. How is this going to look to a judge?

I suspect that there are fair number of judges that can figure out that any digital asset can be tampered with. Today, they can look at the people in an organization that have access to the data to determine the validity of the data. That may pass muster with today’s judges, but what happens when judges (in their youth) have doctored photos in Photoshop? Will such judges be willing accept that people working for a company didn’t tamper with the digital asset? Somehow, I don’t think Log4J is going to cut it.

And what happens when we factor in all of this cloud computing stuff? Where’s the chain of custody then?

At some point, the audit logs from IT are going to be presented as evidence and some judge is point out that there is reason to doubt their authenticity. At that point, I suspect that corporate attorneys are going to want to focus on meeting the letter of the regulation and also ensure that all of the work done to comply is admissible in a court of law.

Regulatory compliance, such as HIPAA and PCI, are strong business drivers for improving software security for many of our clients. The focus for most groups is to meet some audit deadline. Getting passed the auditors to ensure compliance is the first hurdle, providing audit logs that can pass legal muster can’t be far off.

I had the opportunity to address a group of electrical cooperatives at a recent conference in sunny Atlanta, which was actually snowy. I always welcome the challenge of bringing technical security concepts to a new audience and this was an excellent crowd. The ensuing Q&A showed the broad range of concerns from these small electrical cooperatives that are beginning to deal with a tidal wave of new statutory, regulatory, security, privacy, and technology requirements, along with things yet unimagined. Although the vast majority of these organizations are very small, I was very impressed by their willingness to understand and work toward meeting the new requirements.

I did have a case of the “ummmmmm”s while speaking.

Here is video of my opening segment and the first question of the Q&A. To see the full session, you can view it from the NRECA conference Keynote Speakers page.

I recently had the pleasure of giving a keynote at the NRECA annual conference in Atlanta. The conference brings together senior management and Board members from rural electric cooperatives throughout the country. Some coops are large in terms of the number of subscribers, and some are large in terms of geographic area covered (those numbers often run opposite to each other). My job as keynoter was to introduce some thinking about computer security to business people who operate power grids for a living. This is a big challenge for a geek like me.

Of course I ended up touching on software security, especially the fact that power meters for the “smart grid” are little IP-enabled computers hung on the outside of your house. Given known attacks against this new breed of meters, the question is how many rooted smart grid meters in a botnet could cause a really serious problem?

Here is my talk in its entirety. Your feedback is welcome.

Download audio [mp3]
Download presentation [pdf]

I’m pleased that Cigital is directly involved in working to make smart grid security a reality. We’re working directly with NRECA to bring electric cooperatives up to speed with cyber risk management.