Secure Coding mailing list archives

Software security != security software

From: sbradcpa at pacbell.net (Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP])
Date: Mon, 11 Dec 2006 19:40:03 -0800

"The problem is that security software vendors including Symantec and 
McAfee have used the very same techniques for years in the name of good. 
Antivirus software and personal firewall software pulls all sorts of 
fancy kernel-interpositioning kung fu."

..... and for every good..... there is also a bad:  
http://www.securiteam.com/windowsntfocus/6Z0032AH5U.html 

"The reason we need security software like antivirus tools and personal 
firewalls is that OSes have traditionally suffered from all kinds of 
security problems (both bugs and flaws)."
Hmmm let's see lately we've had these bugs http://secunia.com/vendor/6/  
and these http://secunia.com/vendor/70/  and these 
http://secunia.com/vendor/56/ and these ones 
http://secunia.com/vendor/54/ and these http://secunia.com/vendor/51/ 
and..... well you get the idea that it's not just OS's that have 
security flaws.. sometimes it's the very things we buy to make us secure 
that have their own issues


"Microsoft may be too responsible to manipulate its security defect 
density intentionally in order to create demand for its security 
software, but the fact that this is even possible is a great worry. This 
is like allowing the fox to design and build the henhouse, not just 
guard it."

Microsoft "rogue" developer says in development meeting of Forefront 
products:  "Say... I think I'm going to manipulate security defects just 
'cause I want to drive more sales of Forefront products...yeah that's 
the ticket... "

Okay so with tinfoil in place... that's going to need a "Security defect 
Density Product Manager" (Microsoft doesn't do anything without a PM or 
two you know), at least an entire WagEd (Waggoner Edstrom [however you 
spell that] marketing division to do a 'spin' and marketing blitz on how 
Forefront needs to be the software of choice... numerous conference 
calls  and committee meetings, not to mention a User Interface testing 
... etc etc...

You know this reminds me of when my Dad would respond to the folks that 
said that the Government did "fill in the blank" such as kill Kennedy, 
pretend to go to the moon but really did not, and other assorted odds 
and ends.

1.  From the outside it appears that they are not that well organized to 
pull something like this off (it took them 5 years to get Vista out the 
door... do you honestly think that Microsoft can selectively code a 
"security defect density" without causing some other issue?  That the 
Forefront team gets together with the Vista team and the watercooler and 
swaps and coordinates places to put defects in?

2.  Do you honestly think there wouldn't be some honest whistle blower 
somewhere that wouldn't be on the Fox News Channel or Oprah in a heartbeat?

Is this possible?  When our own government put forth evidence of 
"weapons of mass destruction" and later it comes out there wasn't 
any...that showcases that people talk and the truth gets out. Maybe I 
just grew up too much in the era of Watergate and believe too strongly 
in the power of free speech... but it's a little hard for me to think 
that someone like MiniMicrosoft wouldn't be screaming their head off if 
someone in Microsoft even thought of such a thing. 

Someone would blog.  Trust me on that one.

Quite frankly, I've been burned a few times with those antivirus 
companies that have guarded my henhouse and have flagged things as 
viruses they shouldn't, and have brought my network to it's knees.  So 
even when they were protecting me, I've lost confidence in them too.

Right now my biggest concern is that we still aren't caring enough about 
software security at all.

Susan... who's convinced that the bad guys have gotten over these petty 
turf wars a long time ago and are way more cooperating/coordinating that 
the good guys are.

Gary McGraw wrote:

Hi all,

The furvor over Microsoft's entry into the security software business is
confusing some people about their software security designs.   Or maybe
people who know better are trying to confuse the market??!  Note word
order.

I wrote about this in my latest darkreading column that you can find
here:
http://www.darkreading.com/document.asp?doc_id=112402

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com 



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

_______________________________________________
Secure Coding mailing list (SC-L)
SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


-- 
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down...
http://blogs.technet.com/sbs

Current thread:

Software security != security software Gary McGraw (Dec 11)
- Software security != security software Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Dec 11)
- Software security != security software Greenarrow 1 (Dec 11)