Is the security industry like a lemon market?

["Daniel Guido" <dguido () gmail com>]

This pair of essays were written in 4 hours the night before they were
due for last year's Cyber Security Awareness Week at Polytechnic
University. They were intended to answer the question, "Is the
security industry like a lemon market?" as first brought up in a Wired
article by Bruce Schneier last year [1].

We'll be hosting an essay contest and many others again this year.
Contests are for students only and registration is available at:
http://isis.poly.edu/csaw.

Feel free to contact me for more information.

--
Dan Guido

[1] http://www.schneier.com/blog/archives/2007/04/a_security_mark.html


-------------------------------


Alicia Bozyk
CSAW Essay
November 18, 2007

Trends in Security Products

Due to information asymmetries, consumers are unable to identify what
security is and how they should be protected. They are easily swayed
by market driven trends that recur on a regular basis. Such trends are
not necessarily merit based and fail to solve the security problems
that consumers face in meaningful ways. This problem has resulted in
numerous products in the form of firewalls, antivirus software,
intrusion detection systems (IDS), and anti-spyware and malware
software. These products receive a lot of attention and are marketed
as solving security problems. However, the same threats endure even
when a user is fully covered by such mechanisms. The success of such
security products on the market are a result of marketing and
advertising, the lack of reliability provided by authoritative
sources, and a lack of focus by industry professionals to create a
comprehensive approach to improving computer security. The security
industry is flooded with poor quality software products which are
driven by rapidly changing security trends rather than the real needs
of consumers.

Any new security trend introduces an influx of security offerings to
the market. The consumer market for security software reached $1.6
billion last year, according to the research company IDC. The consumer
ranges from large institutions and corporations to the owners of home
computers. Since the market share of the security industry is so large
and its targets so varied, there are considerable opportunities to
create new products as trends in the industry shift. Security
companies spend a large amount of money on marketing and advertising
campaigns for these new offerings. The goal is to convince consumers
that they are not safe unless they purchase a new product, or upgrade
their existing products to include new features. As a result,
companies and individuals are constantly purchasing new security
products and spending more money to improve the ones that they already
have.  If a consumer is unwilling to invest in products that protect
against the newest threats, they run the risk of appearing negligent.
However, new offerings cannot guarantee security and may not provide
much added value. Trend driven advertising frightens consumers into
new purchases, adding more incentive for producers to push out more
and more products.

Another common flaw in the security industry is that many average
consumers have little or no knowledge of computer security and what it
means for them. However, most consumers are convinced that they need
to take some action to safeguard themselves against threats. As a
result, most try at least one of the following two methods. A consumer
can scour the internet for reports and reviews on security products.
They can also turn to sources of authority to provide the answers for
their security needs. Both methods will likely result in a consumer
making unfortunate decisions about a security product that is driven
by recent trends in the security industry. If a consumer tries to do
their own research, it is difficult to find clear answers since they
may not know what to look for and must sift through a lot of
misleading advertising. If a user simply turns to an authoritative
source, they might accept a bad product. For example, Columbia
University Information Technology recommends that all students and
faculty members install Symantec Anti-Virus software on their personal
computers. Many students take this suggestion to mean that as long as
they have this software installed, they are safe. However it is common
knowledge among security professional and hackers alike that
anti-virus is not a silver bullet, anti-virus does not protect against
all security security, and anti-virus provides questionable value to
begin with. The following diagram is taken from a publication by
VirusTotal, an organization which tests the efficacy of all major
anti-virus brands to detect new malicious code.

[blue: 31692, red: 2]
Failures in Detection (Last 24 Hours)
Red: Infected files not detected by at least one antivirus engine.
Blue: Infected files detected by all antivirus engines.

This diagram is evidence that even the threats anti-virus claims to
protect against, it cannot in many cases. Most consumers do not have
the knowledge of the security industry needed to make informed
decisions on the products they are using to protect themselves.
Instead, they turn to products that protect only against the latest,
most popular security threats.

Since security products are trend driven and highly profitable,
security professionals have little incentive to address the root
causes of security threats. Creating software that only acts as a
firewall or as anti-spyware does not result in comprehensive security.
The industry leaves the market open for more trend driven software by
not addressing entire threat classes when they become known.
Preventative measures are often not well received by the security
industry. We see this in security technologies which are effective,
but nonetheless have received little support from the commercial
security industry. An example is SELinux and the mandatory access
control framework for Linux, which was well received by security
professionals. It was not until the NSA, a government agency,
developed SELinux at a loss that it was brought to the public. This
suggests that intervention by government agencies and non-profit
organizations may be needed to break the cycle of trend driven
software development. Security professionals must provide tools and
guidance to software developers that will allow them to architect
systems that will have long-term security benefits. In order to begin
making real strides in computer security, the entire industry must
realign its goals with the needs of consumers in order to provide
comprehensive security coverage, as opposed to temporary fixes for new
and popularized security threats.

The success of poor quality security products on the market will
continue until the security industry recognizes the need to create
products that lead the way to more secure software. Until then,
popular trends in security threats will continue to dictate software
development. The outlook for the future remains positive, as
professionals formally trained in secure product development start to
enter the workforce. This new generation can recognize risk and
encourage the use of a secure development lifecycle.  Until then, a
number of bad security products will remain on the market, and will
generate huge profits for the security industry. Advertisers and other
authoritative figures will compel consumers to purchase additional
security products, without providing evidence that such products will
work reliably or effectively. These products will continue to be
driven by the latest trends in security, scaring consumers into
compliance by playing on their fears of not doing enough to protect
themselves.

Sources
http://www.nytimes.com/2007/01/29/technology/29ecom.html
http://www.virustotal.com/estadisticas.html


-------------------------------


Daniel Guido
Polytechnic University
Cyber Security Awareness Week 2007 Essay Contest

It's Not About Security Products

The United States, much like the rest of the world, creates laws and
regulations to protect its citizens from dangers ranging from tainted
food to hazardous children's toys. While these domains are regulated
by governments for the safety of its citizens, another consumer
product, computer software, is very loosely regulated, if at all. The
United States has the Consumer Product Safety Commission to evaluate
the safety of consumers products, Underwriter's Laboratory to certify
products for safety, and the FDA to regulate the food industry (among
others), however, no such organization exists to oversee the safety of
an arguably more important product: computer software. The lack of
regulation from an oversight body is alarming because there are no set
standards for what is considered acceptable computer software. While
there are laws which allow the government to prosecute individuals who
spread malicious software, there is very little that can be done to
those who negligibly release insecure software.

Computer software products are one of the only products sold in the
United States that have no safety regulations. Other industries
recognize, address, and deal with safety issues in an organized way as
seen by the swift recall of toys by Mattel after the Consumer Product
Safety Commission determined the toys contained lead. However, in
computer technology, problems caused by safety issues can both lie
dormant and can be much more disastrous: they have the potential to
affect more people with more immediacy than any other type of
commercially available products. If major structural security problems
were found in Microsoft's Internet Explorer or a critical piece of the
Windows operating system, it would be virtually impossible to find a
hospital or a government agency that would escape unaffected from such
an event. Additionally, software companies are under no obligation to
notify the public to the existence of such a flaw, and commonly, they
do not. This threat becomes more significant when one realizes that
most users of computer technology do not understand the intricacies of
how computer software works. Software that has been patched looks the
same as software that has not. This information asymmetry puts the
consumer at a great disadvantage in even determining whether they are
at risk and suggests that government regulation may be necessary to
level the playing field.

Looking at regulation in the consumer health care industry, in
response to a batch of contaminated vaccines that killed 13 children
Congress passed the Biologics Control Act in 1902 which laid the
groundwork for what would later become the Food and Drug
Administration (FDA) in 1906. Since then, the FDA's authority has
expanded to cover the safety of food, dietary supplements, drugs,
blood products, and so on. Testing done by the FDA minimizes such
events and uncovers safety issues before products reach the market. If
safety issues are uncovered after a product is in the hands of
consumers, the FDA has shown itself to be highly competent in using
its authority to stop production and importation of unsafe products as
well as issue recalls. This can be seen in the recent counterfeit
Colgate toothpaste recall earlier this summer.

Regulation of the health care industry began in the early 1900's after
thousands of years of medicine and snake oils. The clearly defined
processes which their industry follows to deal with safety events are
the result of decades of development and refinements. When we look at
the technology industry, it is still in its infancy and is poorly
understood in comparison. Yet, we rely on it as much if not more.
Aspects of information technology have worked their way into our
banking services, health care, airline travel, public utilities, our
home office, and so on. Even when considered alone, the technology
industry makes billions of dollars headlined by such stars as Google,
Facebook, Microsoft, and Apple. However, as our use of information
technology has increased, so has our exposure to security problems in
the underlying technology. We saw these problems reach a peak in the
summer of 2003 when a number of high profile worms affected Microsoft
products (SQL Slammer, Blaster, Welchia, Sobig, Sober) and one was
even potentially the cause of the North-East blackout in August of
that year. This fact makes the development of such processes for the
technology industry all the more pressing as the potential for
disaster is enormous and highly likely.

Yet, public response to such catastrophic events has been low and
industry-wide actions taken to prevent their recurrence have been
ineffective, non-existent, or quickly forgotten about. It seems that
in the minds of the public, security issues have become so commonplace
that they are accepted as a fact of life. Home users are targeted
again and again for "user education" and are told to buy anti-virus
software, firewall software, anti-spyware software and so on however,
even with all these layers of protection, they are still vulnerable
due to the inherently faulty code on the systems that the security
products are trying to protect. No amount of security products can
make up for poorly written software permeating all aspects of your
computing environment. The constant patching and updating users must
endure is a testament to the shoddy products that are released to the
market in the first place.

Although there has been little push to regulate computer software,
certain agencies and firms have begun to realize the importance of
finding and fixing flaws in widely used software and, instead of
selling you another product, have done so in a way one might call a
public service. In an attempt to protect all users of information
technology against security problems, the Department of Homeland
Security recently hired Coverity, a private software company that
develops code scanning tools, to identify flaws in open source
applications critical to the functioning of the Internet and alert
their developers before attackers have a chance to find those flaws
themselves and exploit them. This project has been exceedingly well
received both by developers and by users of the applications and has
resulted in the discovery and remediation of thousands of potential
flaws among dozens of critical software projects. Actions like those
taken by the DHS have resulted in a greatly improved software
ecosystem in a way that another security product could never have
provided.

The proactive approach taken by the Department of Homeland Security in
its partnership with Coverity is an excellent example of a method that
should be implemented for the entire computer industry and have its
reach expanded. While various security vendors have released product
after product and update after update, each claiming that they are the
end-all for your security needs, DHS has provided an invaluable
service to all users of technology in improving the structural
integrity of software programs we all use and rely upon. Regulation
does not have to take the form of the FDA, which requires that all
drugs be tested and approved for use prior to reaching the market.
Rather, a publicly-funded organization which tests and certifies the
structure and code security of software as they reach the market and
is involved in releasing proactive security measures back into the
industry would be highly beneficial in fixing flaws before they become
real problems. Such a certification authority, as Underwriter's
Laboratory does for many products and the National Highway Traffic
Safety Administration does for cars, would help level the information
asymmetry currently present when consumers are attempting to make
informed decisions about the software products they buy.

In today's computer industry, consumers are bombarded with products
which attempt to  fix faults in another product. This leads to
inefficiencies, increased costs, and confusion for the consumer. Other
industries, such as the food industry and financial services, have
become regulated over time to fix such inefficiencies (particularly
problems of inadequate information) and to protect the safety of the
consumer. Given the explosive pace of the current software market,
time to market times are getting smaller while software is getting
more complex. The aggressive and competitive nature of the software
market reduces the testing time for flaws, integrity, and reliability
and without a consumer who is able to differentiate, poorer quality
products flood the market and the consumer is the victim. Much like
the consumer who needs a vaccine, but understands very little about
the nature and reasoning behind it is protected by the Food and Drug
Administration, the average software consumer knows little about what
is going on inside their computer. This situation must be helped by a
public organization so that our computing experience is safe,
reliable, and dependable. Government participation in aid of software
development is a necessary evolutionary step to alleviate the security
problems which our products face today.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/