RE: Why Easy To Use Software Is Putting You At Risk

["Al Sutton" <asutton () argosytelcrest com>]

What utter rubish this is. 

The author proposes not doing anything complex because it's scary and could
be dangerous. I say is wake up and smell the coffee, people are doing new
things and want to be able to use their computers for more things. Why
should someone have a degree in computing in order to buy a holiday without
leaving home?, why should they have to use a text user interface because
adding "complex other stuff" could bring out the bogey man.

Using shared code (or "complex other stuff" as it's called) is staistically
MORE secure. If the chance of a bug in a window drawing is 1 in 100,000 then
the chance of it being in a shared window drawing routine is 1 in 100,000 no
matter how many apps use it. If, on the other hand, 10 different
applications each have their own window drawing routine because the software
author didn't trust someone elses code then the chances of having a bug in
all the window drawing routines is 1 in 10,000, an order of magnitude MORE
likley.

This mail looks like a thin attempt to peddle fear and uncertanty about
applications. The fact is that new complex systems are coming because people
want to use them, and we shouldn't run in fear of them or stop people having
them. We should look at how we deliver what people want so that we can build
complex things reliably and securely, after all if we hadn't applied that
thinking to other forms of engineering we'd all probably be sitting in our
caves on rocks eating cold food.

Al
---
Al Sutton
Argosy TelCrest
www.argosytelcrest.com


-----Original Message-----
From: defendingthenet [mailto:mlapidus () ccim net] 
Sent: 20 February 2006 14:35
To: security-basics () securityfocus com
Subject: Why Easy To Use Software Is Putting You At Risk



Title
-----
Why Easy To Use Software Is Putting You At Risk

Can Easy To Use Software Also Be Secure
----------------------------
Anyone who has been working with computers for a long time will have noticed
that mainstream operating systems and applications have become easier to use
over the years (supposedly). Tasks that use to be complex procedures and
required experienced professional to do can now be done at the push of a
button. For instance, setting up an Active Directory domain in Windows 2000
or higher can now be done by a wizard leading even the most novice technical
person to believe they can "securely" setup the operating environment. This
is actually quite far from the truth. Half the time this procedure fails
because DNS does not configure properly or security permissions are relaxed
because the end user cannot perform a specific function. 

If It's Easy To Develop, Is It Also Secure
--------------------------------------------------
One of the reasons why operating systems and applications "appear" to be
easier to work with then they use to is developers have created procedures
and reusable objects to take care of all the complex tasks for you. For
instance, back in the old days when I started as a developer using assembly
language and c/c++, I had to write pretty much all the code myself. Now
everything is visually driven, with millions of lines of code already
written for you.  All you have to do is create the framework for your
application and the development environment and compiler adds all the other
complex stuff for you. Who wrote this other code? How can you be sure it is
secure. Basically, you have no idea and there is no easy way to answer this
question.   

Secure Environments Don't Exist Well With Complexity
----------------------------
The reality is it may look easier on the surface but the complexity of the
backend software can be incredible. And guess what, secure environments do
not coexist well with complexity. This is one of the reasons there are so
many opportunities for hackers, viruses, and malware to attack your
computers. How many bugs are in the Microsoft Operating System? I can almost
guarantee that no one really knows for sure, not even Microsoft developers.
However, I can tell you that there are thousands, if not hundreds of
thousands of bugs, holes, and security weaknesses in mainstream systems and
applications just waiting to be uncovered and maliciously exploited.

How Reliable and Secure are Complex Systems?
----------------------------------------------------------
Let's draw a comparison between the world of software and security with that
of the space program. Scientists at NASA have know for years that the space
shuttle is one of the most complex systems in the world. With miles of
wiring, incredible mechanical functions, millions of lines of operating
system and application code, and failsafe systems to protect failsafe
systems, and even more failsafe systems to protect other systems. Systems
like the space shuttle need to perform consistently, cost effectively, and
have high Mean-Time-Between-Failure(MTBF). 

All in all the space shuttle has a good record. One thing it is not though
is cost effective and consistent. Every time there is a launch different
issues crop up that cause delays. In a few circumstances, even the most
basic components of this complex system, like "O" rings, have sadly resulted
in a fatal outcome. Why are things like this missed? Are they just not on
the radar screen because all the other complexities of the system demand so
much attention? There are million different variables I'm sure. The fact is,
NASA scientists know they need to work on developing less complex systems to
achieve their objectives. 

This same principal of reducing complexity to increase security,
performance, and decrease failures really does apply to the world of
computers and networking. Ever time I here associates of mine talk about
incredibly complex systems they design for clients and how hard they were to
implement I cringe. How in the world are people suppose to cost effectively
and reliably manage such things. In some cases it's almost impossible. Just
ask any organization how many versions or different brands of intrusion
detection systems they have been through. As them how many times the have
had infections by virus and malware because of poorly developed software or
applications. Or, if they have ever had a breach in security because the
developer of a specific system was driven by ease of use and inadvertently
put in place a piece of helpful code that was also helpful to a hacker.

Can I Write A Document Without A Potential Security Problem Please
-----------------------------------------------
Just a few days ago I was thinking about something as simple as Microsoft
Word. I use MS-Word all the time, every day in fact. Do you know how
powerful this application really is? Microsoft Word can do all kinds of
complex tasks like math, algorithms, graphing, trend analysis, crazy font
and graphic effects, link to external data including databases, and execute
web based functions. 

Do you know what I use it for, to write documents. nothing crazy or complex,
at least most of the time. Wouldn't it be interesting that when you first
installed or configured Microsoft Word, there was an option for installing
only a bare bones version of the core product. I mean, really stripped down
so there was not much to it. You can do this to a degree, but all the shared
application components are still there. Almost every computer I have
compromised during security assessments has had MS-Word installed on it. I
can't tell you how many times I have used this applications ability to do
all kinds of complex tasks to compromise the system and other systems
further. We'll leave the details of this for another article though.

Conclusion
----------
Here's the bottom line. The more complex systems get, typically in the name
of ease of use for end users, the more opportunity for failure, compromise,
and infection increases. There are ways of making things easy to use,
perform well, and provide a wide variety of function and still decrease
complexity and maintain security. It just takes a little longer to develop
and more thought of security. You might think that a large part of the blame
for complex insecure software should fall on the shoulders of the
developers. But the reality is it is us, the end users and consumers that
are partially to blame. We want software that is bigger, faster, can do just
about everything, and we want it fast. We don't have time to wait for it to
be developed in a secure manner, do we? 

You may reprint or publish this article free of charge as long as the
bylines are included.  

Original URL (The Web version of the article)
------------
http://www.defendingthenet.com/NewsLetters/WhyEasyToUseSoftwareIsPuttingYouA
tRisk.htm

About The Author
----------------
Darren Miller is an Information Security Consultant with over seventeen
years experience. He has written many technology & security articles, some
of which have been published in nationally circulated magazines &
periodicals.  If you would like to contact Darren you can e-mail him at
Darren.Miller () defendingthenet com. If you would like to know more about
computer security please visit us at http://www.defendingthenet.com.


--
View this message in context:
http://www.nabble.com/Why-Easy-To-Use-Software-Is-Putting-You-At-Risk-t11556
32.html#a3031657
Sent from the Security Basics forum at Nabble.com.


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------