Economics of Software Vulnerabilities

[arian.evans at anachronic.com (Arian J. Evans)]

Spot on thread, Ed:

On 3/20/07, Ed Reed <ed.reed at aesec.com> wrote:
> Not all of these are consumer uprisings - some are, some aren't - but I
> think they're all examples of the kinds of economic adjustments that occur
> in "mature" markets.
>
>    - "Unsafe at any speed" (the triumph of consumer safety over
>    industrial laziness)
>
>
>    - Underwriter Laboratories (the triumph of the fire insurance
>    industry over shoddy electrical manufacturers)
>
>
>    - VHS (vs BetaMax - the triumph of content over technology)
This is ironic to me, I wrote a paper for management types, upper tactical
to strategic level view of the "software security" problem. In current
incarnation it is called "Unsafe at Any Speed". Besides a layman's breakdown
of the fundamental issues, (a) implementation issues almost entirely falling
under the inability to enforce data/function boundaries in modern
implementation level languages or platforms, and (b) functional issues which
are design/workflow, or emergent behavior related.

The important point I stress is that there really hasn't been a
Whistle-Blower Phase in the software industry concerning security. Today,
vague arguments about plane crashes aside, there is little to no hard
evidence tying software defects with security implications to loss of human
life. And that's the kicker: dollars to DNA, it's death that sells.

I also argue that we are killing the Canaries in the Coal Mine. The script
kiddies, the guys writing the little payload-less worms, the kid who wrote
the Sammy virus, they are scared to touch systems now. These were the
Canaries down there in our software coal mines. SQL Slammer, Witty worm,
though no payload, caused negative impact, but there were no charges for
these.

The charges are always some token young guy for some relatively benign worm.
MySpace slows down and we prosecute a young kid with above-average problem
solving skills. I used to call these worms that slowed things down "free pen
tests", later "canaries". They had a real (positive) value to us, and we've
killed that value without replacing it with something better.

I experienced a rising of vendor animosity and threats in the two years, a
reversing of trend back to the "good old days", coupled with work
constraints restricting full disclosure options. What made this worse (to
me, ethically) is that many of these vendors were advertising "security" to
their clients, from an image of a Safe on the website with a list of
"security features", to announcements proclaiming the security of the system
displayed to users after they log in. None of these systems were measurably
security in any fashion I could detect, not even to usual suspects (SQLi,
XSS, Insufficient Authorization/Workflow bypass, etc. etc.). I got the
feeling things were getting worse. That or I hit some weird biased sample of
ISVs.

I think you are on to something here in how to think about this subject.
Perhaps I should float my little paper out there and we could shape up
something worth while describing how the industry is evolving today.

I have been peacefully quiet since I quit my old job, ignoring the security
lists and industry and haven't poked the bear err trolled any of the usual
suspects lately. Looks like I've been missing out on some good dialogue,
thank you, this was very helpful,

Arian J. Evans
Solipsistic Software Security Sophist at Large
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070321/34c5737a/attachment-0001.html