Secure Coding mailing list archives
Re: Let's get the ball rolling -- secure application design tools/processes
From: Crispin Cowan <crispin () immunix com>
Date: Mon, 08 Dec 2003 15:10:40 +0000
George Capehart wrote: You've touched on one of the problems. Before I start my rant, I'm going to stick a stake in the ground and take the following position: "The absence of "security" in applications is due to: a) Negligent, b) Negligible, c) Inadequate or d) Incompentent management. It's due to the absence of process which is due to the absence of accountability which is due to a lack of governance. I've seen variations on this rant several times in the week since this list opened, and I'd like to rebutt it a bit. Security is necessarily inconvenient: * Security is the business of saying "no" sometimes, and so it is necessary that it will be less convenient to use a secure system than an insecure system. * Secure systems perform additional checks, making them slower than insecure systems. * Secure systems require substantially more care in design and development, and therefore necessarily cost substantially more than insecure systems. Therefore, security is *always* a trade off between security and convenience (operational convenience, performance, and cost). Applying cleverness can *reduce* these costs associated with achieving security, but not eliminate them. The market has consistently chosen convenience over security. This is not negligence or incompetence: it is effective management, assigning resources to meet needs. There is no need to invest large resources in securing systems when actual losses do not justify such an expense. Only relatively recently (since the rise of the Web) has the balance of the costs of security vs. the costs of insecurity shifted substantially. Prior to the web, your bank could run insecure code all they wanted, because attackers didn't have access to the bank's systems. Web-enabled everything changes this threat balance. 9/11 further shifts this cost balance, in threat if not in actuality. There is a greater perceived threat of attack due to terrorists, whether or not that threat will ever be realized. All of this is relatively new with respect to programming language design, software development methodologies and cultures, and legacy code base. Things are changing, but not quickly, because there is so much legacy to change. So please give up on the sanctimonious notion that "they" are neglecting security out of ignorance or incompetence. There are massive economic and inertial effects to overcome. Security is genuinely difficult and expensive, and a real need for it is only just beginning to emerge. Caveat: I am a vendor of security products. Our Immunix OS and tool suite allows you to run vulnerable code with less risk of compromise. We are overtly trying to leverage the gap between business wanting security and business being willing to pay the price of achieving security by reducing the costs. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com http://www.immunix.com/shop/
Current thread:
- Re: Let's get the ball rolling -- secure application design tools/processes Jerry Connolly (Dec 03)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: Let's get the ball rolling -- secure application design tools/processes Crispin Cowan (Dec 08)
- The problem is that user management doesn't demand security David A. Wheeler (Dec 08)
- Re: The problem is that user management doesn't demand security Dana Epp (Dec 08)
- Re: The problem is that user management doesn't demand security Jared W. Robinson (Dec 09)
- Re: The problem is that user management doesn't demand security Erik van Konijnenburg (Dec 08)
- Re: The problem is that user management doesn't demand security Kenneth R. van Wyk (Dec 09)
- Re: The problem is that user management doesn't demand security George Capehart (Dec 09)
- Re: The problem is that user management doesn't demand security Stephen Galliver (Dec 09)
- Re: The problem is that user management doesn't demand security Andreas Saurwein (Dec 10)
- Re: The problem is that user management doesn't demand security Michael Cassidy (Dec 10)
- Re: Let's get the ball rolling -- secure application design tools/processes George Capehart (Dec 07)
- Re: The problem is that user management doesn't demand security George W. Capehart (Dec 10)