Dailydave mailing list archives

RE: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did

From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Wed, 4 Feb 2004 10:05:19 -0500

Depends on your industry.  Typical COTS software can defer known
defects, including possible security risks (though typical COTS
developers and QA teams probably don't think much about these), until
after release, so it doesn't matter when you find them, since finding !=
fixing.  Also, building secure software boosts the consumer's
productivity and reduces the consumer's costs, but as you point out I
don't think it does the same for the developer (unless they have
contractual sanctions of some sort for security defects, and that
probably doesn't happen very often - in my experience when, for example,
a consulting shop delivers a banking or mortgage application, which is
then tested and found to be full of holes, the client generally pays the
consultancy some more to fix their problems).

Banks and the like are very interesting, because I imagine they don't
get to make that choice to defer fixing serious security issues.  I
imagine there's some pretty strong due-diligence requirements on that
sort of thing.  So unlike regular software where the cost of defects can
be weighed after they have shipped, and their "real" urgency can be
gauged from consumer reaction, and sort of amortized over multiple
development cycles (i.e. only ever really fixing the bugs your users are
seriously griping about, leading to a steadily growing pile of
continuously deferred medium and low priority bugs that has been known
to drive men insane), serious software security defects in the financial
industry become showstoppers, so every one of them has to get fixed, and
there's no amortization cost benefit.  Furthermore, because the option
of deferring these bugs is not available, it is possible to incur
tremendous opportunity costs while you wait for your software to be
fixed, something other industries can shrug off and say "That's going to
be the cost of being first to market".

Combine this with the frequently endemic nature of security defects -
they are defects in implementation style (not performing safe integer
arithmetic, concatenating parameters to make SQL statements) or design
(not having a reference monitor or row-level access control), and rather
than having a single defect to fix, what you really have with one
"vulnerability" is a problem on multiple lines in every file in the
application.

So it's my opinion that security "bugs" are much much more expensive to
fix during implementation or maintenance than regular bugs.  The numbers
you quote sound much more like the kind of numbers I hear about regular
software in books like "Rapid Development".  For security bugs in
financial software, I believe it is much higher.

This is why education is the key for this kind of software.  If you can
start with educated developers, the risk and cost of security problems
can be significantly reduced.

IMHO.

Phil

-----Original Message-----
From: dailydave-bounces () lists immunitysec com 
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of 
Dave Aitel
Sent: Wednesday, February 04, 2004 9:33 AM
To: dailydave () lists immunitysec com
Subject: [Dailydave] Lame studies that people quote as fact 
that have no basis in reality and still don't prove anything 
even if they did

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss306_art550,00.
html

"""
Don't get me wrong. Building secure software is a laudable goal. It 
boosts productivity and reduces costs. According to one study, it's 6.5 
times more expensive to fix a security problem in the implementation 
phase than in the design phase of a software rollout. By the time you 
get to the maintenance phase, it's 100 times more expensive. """

This is crap. If you spend your whole life looking for security bugs in 
your product, then you find them. Continuously. You'll end up finding at

least 100 times more than will ever come out in public. So you really 
save a lot of money by doing everything in the QA phase, where it
belongs.


-dave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave

Current thread:

RE: Lame studies that people quote as fact that have no basis in reality and still don't prove anything even if they did Brass, Phil (ISS Atlanta) (Feb 04)