Re: Twitter: (verb) to fail under exponential growth

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Eng wrote:
| Oh come on, you know the answer to that.  Because things break.  Same
| reason people don't run WAFs in prevent mode, same reason IPS isn't more
| popular.  Source/binary tools could patch automatically, in theory, but
| in order to measure whether it broke something, you have to have an
| extremely robust regression suite.
My thought is this, to avoid getting into the specifics than annoy 
everyone: People tend to think they can "manage" their networks or their 
application security, but their management skills are scaling linearly 
and the problem is scaling exponentially and they can only throw money 
at it for so long. When people talk about a "self-healing network" what 
they mean is "we can't afford to manage exponentially growing problems - 
those problems have to manage themselves".

Of course, Immunity does offense, not defense, and I'm having to 
translate here from my native language. Where you want a self-healing 
network, we are creating a self-attacking network, and so on. Having 
looked at the problem of exponential growth from the attacker's side, 
I'm trying to posit the defender's part of the issue.

Marc Maiffret says
"""

Because we have tools that can already
pinpoint code problems but companies are too lazy to care to get them fixed.

"""

I don't think it's because they're too lazy at all. I think it's because 
the understanding I need to have of the whole system to fix that one bug 
grows exponentially with the size of the system. Every year we write 
bigger and bigger systems which means the bugs get exponentially larger 
and at some point the cost of fixing any one bug is larger than we care 
to take on.

Specific to application security, yes, things will break if you 
automatically patch them, but this is true of humans patching things as 
well. Patching a vulnerability depends on knowing what it is. For some 
values of "know" this process is trivial, and for some it's not. I think 
it's a very automatable problem, either in the binary or in the source. 
The only way to really argue the "can do" side is to do it, of course.  :>

- -dave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIaqbCtehAhL0gheoRAg+LAJ0W5jmkba9eGT+252Yk035DbmvvTgCdEtU6
7Z0D5nuCGFmCiNFtOolxz+w=
=Bg0c
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave