Re: Let's get the ball rolling -- secure application design tools/processes

[Crispin Cowan <crispin () immunix com>]

George Capehart wrote:

You've touched on one of the problems.  Before I start my rant, I'm 
going to stick a stake in the ground and take the following position:  
"The absence of "security" in applications is due to:


a) Negligent,
b) Negligible,
c) Inadequate or
d) Incompentent management.

It's due to the absence of process which is due to the absence of 
accountability which is due to a lack of governance.


I've seen variations on this rant several times in the week since this 
list opened, and I'd like to rebutt it a bit.


Security is necessarily inconvenient:

   * Security is the business of saying "no" sometimes, and so it is
     necessary that it will be less convenient to use a secure system
     than an insecure system.
   * Secure systems perform additional checks, making them slower than
     insecure systems.
   * Secure systems require substantially more care in design and
     development, and therefore necessarily cost substantially more
     than insecure systems.

Therefore, security is *always* a trade off between security and 
convenience (operational convenience, performance, and cost). Applying 
cleverness can *reduce* these costs associated with achieving security, 
but not eliminate them.


The market has consistently chosen convenience over security. This is 
not negligence or incompetence: it is effective management, assigning 
resources to meet needs. There is no need to invest large resources in 
securing systems when actual losses do not justify such an expense.


Only relatively recently (since the rise of the Web) has the balance of 
the costs of security vs. the costs of insecurity shifted substantially. 
Prior to the web, your bank could run insecure code all they wanted, 
because attackers didn't have access to the bank's systems. Web-enabled 
everything changes this threat balance.


9/11 further shifts this cost balance, in threat if not in actuality. 
There is a greater perceived threat of attack due to terrorists, whether 
or not that threat will ever be realized.


All of this is relatively new with respect to programming language 
design, software development methodologies and cultures, and legacy code 
base. Things are changing, but not quickly, because there is so much 
legacy to change.


So please give up on the sanctimonious notion that "they" are neglecting 
security out of ignorance or incompetence. There are massive economic 
and inertial effects to overcome. Security is genuinely difficult and 
expensive, and a real need for it is only just beginning to emerge.


Caveat: I am a vendor of security products. Our Immunix OS and tool 
suite allows you to run vulnerable code with less risk of compromise. We 
are overtly trying to leverage the gap between business wanting security 
and business being willing to pay the price of achieving security by 
reducing the costs.


Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
        http://www.immunix.com/shop/