Secure Coding mailing list archives
Economics of Software Vulnerabilities
From: arian.evans at anachronic.com (Arian J. Evans)
Date: Wed, 21 Mar 2007 12:57:17 -0700
Spot on thread, Ed: On 3/20/07, Ed Reed <ed.reed at aesec.com> wrote:
Not all of these are consumer uprisings - some are, some aren't - but I think they're all examples of the kinds of economic adjustments that occur in "mature" markets. - "Unsafe at any speed" (the triumph of consumer safety over industrial laziness) - Underwriter Laboratories (the triumph of the fire insurance industry over shoddy electrical manufacturers) - VHS (vs BetaMax - the triumph of content over technology)
This is ironic to me, I wrote a paper for management types, upper tactical to strategic level view of the "software security" problem. In current incarnation it is called "Unsafe at Any Speed". Besides a layman's breakdown of the fundamental issues, (a) implementation issues almost entirely falling under the inability to enforce data/function boundaries in modern implementation level languages or platforms, and (b) functional issues which are design/workflow, or emergent behavior related. The important point I stress is that there really hasn't been a Whistle-Blower Phase in the software industry concerning security. Today, vague arguments about plane crashes aside, there is little to no hard evidence tying software defects with security implications to loss of human life. And that's the kicker: dollars to DNA, it's death that sells. I also argue that we are killing the Canaries in the Coal Mine. The script kiddies, the guys writing the little payload-less worms, the kid who wrote the Sammy virus, they are scared to touch systems now. These were the Canaries down there in our software coal mines. SQL Slammer, Witty worm, though no payload, caused negative impact, but there were no charges for these. The charges are always some token young guy for some relatively benign worm. MySpace slows down and we prosecute a young kid with above-average problem solving skills. I used to call these worms that slowed things down "free pen tests", later "canaries". They had a real (positive) value to us, and we've killed that value without replacing it with something better. I experienced a rising of vendor animosity and threats in the two years, a reversing of trend back to the "good old days", coupled with work constraints restricting full disclosure options. What made this worse (to me, ethically) is that many of these vendors were advertising "security" to their clients, from an image of a Safe on the website with a list of "security features", to announcements proclaiming the security of the system displayed to users after they log in. None of these systems were measurably security in any fashion I could detect, not even to usual suspects (SQLi, XSS, Insufficient Authorization/Workflow bypass, etc. etc.). I got the feeling things were getting worse. That or I hit some weird biased sample of ISVs. I think you are on to something here in how to think about this subject. Perhaps I should float my little paper out there and we could shape up something worth while describing how the industry is evolving today. I have been peacefully quiet since I quit my old job, ignoring the security lists and industry and haven't poked the bear err trolled any of the usual suspects lately. Looks like I've been missing out on some good dialogue, thank you, this was very helpful, Arian J. Evans Solipsistic Software Security Sophist at Large -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070321/34c5737a/attachment-0001.html
Current thread:
- Economics of Software Vulnerabilities, (continued)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 12)
- Economics of Software Vulnerabilities Gadi Evron (Mar 12)
- Economics of Software Vulnerabilities Gary McGraw (Mar 13)
- Economics of Software Vulnerabilities Gadi Evron (Mar 13)
- Economics of Software Vulnerabilities Gary McGraw (Mar 13)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 19)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 19)
- Economics of Software Vulnerabilities Ed Reed (Mar 20)
- Economics of Software Vulnerabilities Arian J. Evans (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities mudge (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 19)
- Economics of Software Vulnerabilities Crispin Cowan (Mar 12)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 20)
- Economics of Software Vulnerabilities Wall, Kevin (Mar 20)
- Economics of Software Vulnerabilities McGovern, James F (HTSC, IT) (Mar 21)
- Economics of Software Vulnerabilities Steven M. Christey (Mar 21)
- Economics of Software Vulnerabilities security curmudgeon (Mar 23)
- Economics of Software Vulnerabilities Gunnar Peterson (Mar 23)
- Economics of Software Vulnerabilities Michael S Hines (Mar 20)