Regional differences in software security

[stephencraig.evans at gmail.com (Stephen Craig Evans)]

I'll preface what I'm going to say with:

- I don't work in the financial vertical or government defense, but
from conversations with colleagues, I think that they get it (they
have to)

- My sphere of experience excludes Australia, India, and Japan:
  - Oz has on average a high skill set of s/w engineers, so I don't
see why that would be different for s/w security.
  - From discussions with friends/ex-employees who are from India,
because of such a high turnover in the s/w factories, a coder is given
a day's to a week's worth of code to produce at one time, so if they
leave then they can be replaced without much loss. This was a few
years ago and I don't know the level of s/w security introduced since
then, but for sure I highly doubt that developers have any say in what
they can write.
  - Colleagues and friends who live in Japan say that the level of s/w
security is just as bad as the rest of Asia, which was surprising to
me. I think, though, that in Japan, there is a strong culture of not
upstaging the boss so maybe that explains it.

So, my sphere of experience extends from Beijing to Jakarta and all
points in between... (to paraphrase ZZ Top :-)

I would say the level is barely the "beginning of the beginning".
There are no compliance laws except for PCI-DSS. There are no breach
disclosure laws.

There are often huge silos between the security guys and the
development team, both organizationally and politically. Quite a few
times I've seen the responsibility of software security dumped on the
network team with the orders of "make everything secure". And often:
(a) the web site was outsourced years ago and the company is no longer
in business; (b) the 3rd party software vendor is not going to fix its
software or attempt to make it secure in the near future (and there's
nothing in the SLA that says they have to; (c) the development team
does exist but either change processes take 3 to 6 months to get
anything done, or (d) the network manager has to go to political war
to get something done.

> From all of the above, a magic elixir for a network security team can
be a web application firewall. They can drop a box in and they don't
need anybody else's permission. This is what happened on a very recent
project (I was helping the client prepare for a PCI audit), and
because of my Summer of Code OWASP project, Securing WebGoat using
ModSecurity, I was able to help their team write custom ModSec
rulesets; and from that they learned something about security (of
course it should have been the s/w people who learned something about
it).

And, you don't know how many times I've been approached to do pentests
for large corporations' web sites that handle sensitive customer data
- and their budget is $6500 to $10,000 USD. Sorry, I'm greedy, but I
can't risk my reputation by doing a less than half-assed job.

On the bright side, I've had a couple of application pentest projects
- the head of the development team was responsible for it (maybe
that's the key) - and they went great. The developers & architects
didn't know anything about software security, but each manager
assembled the entire dev team and network/sys admins for a half day
for me to present my findings and educate them on what they needed to
do; to explain the origin, the prevention/solution, etc. Those are
real fun and it's so cool seeing the looks on people's faces when it
clicks and they get it.

Stephen


On Wed, Nov 26, 2008 at 10:45 PM, Kenneth Van Wyk <ken at krvw.com> wrote:
> On Nov 26, 2008, at 9:19 AM, Gary McGraw wrote:
> > I think this idea of regional differences is worth exploring a bit.  In my
> > work at cigital I have come to believe that there is a difference in
> > approach between the east coast of the US and the west coast.
>
> I completely agree here.  Stephen raises a fascinating point.
>
> I don't know what I did {right|wrong}, but the vast majority of my clients
> are in Europe or Southeast Asia right now.  (I'm a dual EU/US citizen, which
> perhaps helps.)  Apart from all the air miles, I've seen vast differences
> that seem--at least on the surface via casual observation--to have a
> regional component.  Contrasting US East, West, EU, and Asia, there are big
> differences in such areas as:
>
> - Software process.  I see more process-heavy dev in US East and Europe,
> with far less of it in US West and Asia, for instance.
>
> - Security teams.  I see a pretty solid line between IT security and
> software dev teams in US East and Asia, with lines being more blurred in US
> West and EU.  This seems to be central to Stephen's point, if I understand
> correctly.  And it's a good point to consider.
>
> - Security testing.  ...
>
> The list goes on.  Unfortunately, all I have are casual observations, but
> the "climate differences" seem palpable to me.
>
> Cheers,
>
> Ken
>
> -----
> Kenneth R. van Wyk
> KRvW Associates, LLC
> http://www.KRvW.com
>
>
>
>
>
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________