Thinking of Security Vulnerabilities As Defects

SecureThroughObscure writes "ZDNet Zero-Day blogger Nate McFeters has asked the question, 'Should vulnerabilities be treated as defects?' McFeters claims that if vulnerabilities were treated as product defects, companies would have an effective way of forcing developers and business units to focus on security issue. McFeters suggests providing bonuses for good developers, and taking away from bonuses for those that can't keep up. It's an interesting approach that if used, might force companies to take a stronger stance on security related issues."

Of course vulnerabilities are defects

[ardle]

If they weren't, they would be in the program design.

Re:Of course vulnerabilities are defects

[kesuki]

but then what do you call design features like windows networking telling you if you got the first letter of your password right, even without the rest of the password, and then letting you do that for the next letter, and so on and so on.

it was a feature of early windows networking, to do just that! like people might 'forget' their password, so they would 'need' a feature that would tell them letter by letter, if they were getting warmer on remembering the password! hackers had a FIELD day with various 'features' of Microsoft products.

Re:Of course vulnerabilities are defects

[magisterx]

Sometimes they are. Remember that there are some times when a vulnerability is a technical exploit of something subtle, and those possibilities are always bugs and defects and should be treated as such. But there are many other times when there is a trade off to get that additional security. There is very often a balancing act between usability and security.

This example is certainly not ideal as it does not involve software design, but it is analogous and one that I have personally seen happen. Consider a small company where literally everyone knows everyone and let us say it is a highly technical company so we can assume that everyone knows the basics of what they are doing. They may choose given everyone system administrator priveleges on the database and give everyone a domain admin account even if they normally log in on a lower privileged account. They have absolutely no security in the sense that any user can mess up the system in any way they chose. But they also have none of the usability problems that comes with security. They never have to wait for the network admin to be available if some setting needs to be changed, and never have to worry about a user not being able to get a document they need.

As the company grows, this will become unacceptable. But once security is laid on, now you have to make sure that everyone has the right permissions to read the documents they need. It adds layers of overhead and usability. It increases security, but that security comes at the price of tremendous man hours for a select few domain admins and often forcing users to wait for a designated admin when they need basic things like software installed.

Was the lack of security and the potential vulnerabilities a defect or a design flaw for the small company?

For something more immediately applicable there can also be a trade off between security and efficiency. For instance, I write a lot of SQL scripts that use dynamic SQL. Adding code to protect against SQL Injection requires more of my time to write, more of the computers time to process, and makes the code more complex for someone else who has to maintain it. It comes at a trade off. When I write something that will be used by a broad audience, I always favor security, but when I am writing scripts that will only be used by my internal team I often favor the efficiency and readability.

Clearly, there are cases where a vulnerability is a definite defect, but there are other times when vulnerabilities are consciously accepted for usability, performance, or code maintainability reasons. I will agree that performance and code maintainability become less compelling when it is a commercial product being sold, but they can be major factors within a company where you can often give the user at least a certain minimum level of trust, and usability can be a valid reason to consciously permit small security risks in even a commercial package.

Re:Of course vulnerabilities are defects

[ardle]

Well, in support of my earlier statement, I'd have to call it a really dumb feature ;-)
I see what you mean, tho - hope you understand where I was coming from: if the program is behaving unexpectedly (as opposed to operating as designed but in a context the designers didn't intend), then it's a defect, and a defect that poses a security risk is still a defect.
For the sake of a pithy post, I kept clear of grey areas ;-)

Re:Of course vulnerabilities are defects

[TubeSteak]

Of course vulnerabilities are defects

If they were defects in the eyes of USA law, they'd be considered a material defect or design defect under existing contract or product liability law respectively.

There are a few possible outcomes from such a scenario
A) Nobody writes software anymore because they'd be sued into oblivion
B) Prices go up because coders & companies have to buy software defect insurance
C) Prices go up because companies spend more in labor to produce defect free code
D) The EULA lists every possible failure scenario (plausible or not) in the interests of full disclosure and business continues as usual

Re:Of course vulnerabilities are defects

[slarrg]

Sadly, most manages only recognize a defect if it i something likely to be noticed by their customers. Unless your customers are hackers, they'll never discover the problem so there's no need to test for them.

The biggest problem, in my opinion, is that management as a whole is generally "success based" which means failures a swept under the carpet or otherwise ignored. This means the company as a whole never leans from its mistakes or avoids them in the future. Everyone runs around talking about how great everything is and how wonderful they are at their jobs but no one ever analyzes anything to see if the project was successful by its original definition.

Instead, as the project grinds on the scope is limited, features removed, timelines extended, budgets exceeded, etc. However, every manager beams about the unbridled success of the finished product after the lowered success conditions are met.

Re:Of course vulnerabilities are defects

[noidentity]

Reference please? This sounds too silly to be true!

Re:Of course vulnerabilities are defects

[turbidostato]

"Was the lack of security and the potential vulnerabilities a defect or a design flaw for the small company?"

How can somebody twist a simple concept into such a contorted one?

Defect is nothing more and nothing less than something not working as expected. If something is there by a concious decision is a feature; if something is misdoing, it's a defect. It's as simple as that. Really.

Now, on defects: if something works as designed, but the designers didn't thought in advance of a given (misdoing) situation it's a design defect (in your example, if somebody misuse his admin rights and the boss feels it unacceptable *now*, that means that his security design was flawed. If he answers "well, these things happen, let's move on", then it's a feature). If something doesn't work as designed, and it's misdoing, it's an implementation defect. If something is working as designed and the designer doesn't feel some behaviour to be misdoing, then it's a systemic defect (either an unethical seller or an idiot/uniformed buyer).

And that's all.

Re:Of course vulnerabilities are defects

[turbidostato]

If problems on cars were defects in the eyes of USA law, they'd be considered a material defect or design defect under existing contract or product liability law respectively.
There are a few possible outcomes from such a scenario
A) Nobody builds cars anymore because they'd be sued into oblivion
B) Car prices go up because builders & sellers have to buy car defect insurance
C) Prices go up because companies spend more in labor to produce defect free cars
D) The EULA lists every possible failure scenario (plausible or not) in the interests of full disclosure and business continues as usual

Well, I don't see car bussiness to be in bad shape lately.

Re:Of course vulnerabilities are defects

[tchuladdiass]

Except, when I bought a new car, there was a small defect in the paint job -- a nearly unnoticeable paint bubble. I'm sure that every car that comes off the lot has a blemish somewhere. Doesn't cause the car to crash, and life goes on. Same thing ain't true with software -- that same "blemish" could easily be turned around and allow someone to break into the software.

The only way we could get comparable results with software v.s. physical objects is if computer systems develop the ability to withstand a certain percentage of defects without adverse affects. Kind of like how a few bolts on a bridge can be bad, because the way it is engineered is if a section calls for 5 bolts, they put 8 bolts in there just to be safe. Not a lot of practical ways to do that with software, at least not without a performance trade off.

Re:Of course vulnerabilities are defects

[mrsbrisby]

E) All software becomes GPL; You can fix defects yourself, or hire anyone to fix them.

Entertaining liability is only material because companies hold a monopoly on the "right" to fix defects- whatever that means, whether it be mere "annoyances" or outright failures of engineering.

This essentially makes it a PR problem, where with the low cost and even lower expectations of a modern software world, you could sell a life support machine that killed its patients 100% of the time.

Remove the monopoly, and you'll see higher quality software for cheaper- with the best software people working harder for more money, and the rent-a-coders becoming completely obsolete.

Re:Of course vulnerabilities are defects

The only way we could get comparable results with software v.s. physical objects is if computer systems develop the ability to withstand a certain percentage of defects without adverse affects. Kind of like how a few bolts on a bridge can be bad, because the way it is engineered is if a section calls for 5 bolts, they put 8 bolts in there just to be safe. Not a lot of practical ways to do that with software, at least not without a performance trade off.

The only place where I see this would be remotely applicable is buffer overflow attacks. but still not a 100% secure method. because once I know that a bridge is designed to handle 2000 tonnes but on the entrance it says "1500 tonnes," I can still put 2500 tonnes to break it. all it does is increase the hacker's work.
so IMO there is no gray area. it is black or white. we could assign "pseudo-shades" saying there is against 99% probability that it is 100% secure of attacks but that is just marketing.

Re:Of course vulnerabilities are defects

[jc42]

D) The EULA lists every possible failure scenario (plausible or not) in the interests of full disclosure and business continues as usual

Actually, IBM discovered all this decades ago. One of the ongoing jokes in IBM systems, dating at least from the 1960s, is about a customer documenting and reporting a bug, only to be pointed at page 485 in volume 17 of the documentation, where exactly that behavior is documented. And since it's documented in the manual, "It's not a bug; it's a feature" and won't be fixed.

So maybe the only effect of such a proposed law would be to increase prices by forcing all software vendors to provide copious documentation. If you've even dealt with the documentation for IBM mainframe software, you won't necessarily be made happy by the prospect. You might be horrified.

Re:Of course vulnerabilities are defects

[Kjella]

If something is working as designed and the designer doesn't feel some behaviour to be misdoing, then it's a systemic defect (either an unethical seller or an idiot/uniformed buyer).

Or the designer is an idiot. Been there, had to fight long and hard because first I struggled with coders that said the code is according to spec. Second I had to struggle with the designer that clearly didn't understand what the system was supposed to do, because logically and businesswise it made no sense but somehow he thought the design was right. It was close but he had mixed up two columns of data with similar content and used the wrong one. I finally got through and got it categorized as a defect and the design was changed to work the way I explained it should work. I'll admit that's not such a common case though.

Re:Of course vulnerabilities are defects

[spidr_mnky]

If the code works as designed, and that's how it's designed, then that's a mental defect.

Re:Of course vulnerabilities are defects

[kesuki]

keep in mind the original RFC for SMB file sharing had nothing about encrypting the password, networks were new, the internet non existent, we're talking 1979 or earlier here... the original windows SMB filesharing was over netbios, not even over tcp/ip (because windows had no tcp/ip stack) so having SMB tell you each letter of the password was individually correct was more along the lines of 'routers' coming with the default password of 'admin' before they're configured or if they're manually reset...

it seems too boneheaded to be true, but SMB was started early in the windows 3 days, when 640k was still enough for most people.

Re:Of course vulnerabilities are defects

[KGIII]

As the company grows, this will become unacceptable. But once security is laid on, now you have to make sure that everyone has the right permissions to read the documents they need. It adds layers of overhead and usability. It increases security, but that security comes at the price of tremendous man hours for a select few domain admins and often forcing users to wait for a designated admin when they need basic things like software installed.

Two things... The first is that therein lies the rub. Permissions are a flaked out aspect. Why? See the second point. The unfortunate reality is that when there are permissions there are also methods to enforce them. Second? You're describing, to the letter, DRM and we can't have a discussion about DRM as a viable tool. The reality is that CHMOD is a basic form of DRM.

So security, as you state, is a matter of usability vs. security. No, not any, online computer is secure. To deny that is just blind. If it is online it is vulnerable. If one is more a realist than ANY computer that is powered up is vulnerable in some manner. We geeks love to have a secure OS and then use a simple lock on our basement door. Nothing, in truth, is secure. If you tell a secret to one person it is no longer a secret. If a computer turns on and connects to the internet it is even less secure, turning one on at all is a vulnerability. Security is not, and never will be, an absolute. It can't be because information, even secret information, will to be shared. One can even argue that information needs to be shared before it is of any value at all but this is here and that means it isn't the place.

Re:Of course vulnerabilities are defects

[Nullav]

The reality is that CHMOD is a basic form of DRM.

I must say, my keyboard would be absolutely soaked if I was drinking something right now. My maildirs and private keys? Not yours and I'm not setting public read. httpd.conf? Sure, I'll set public read and owner write so you can look at it and even copy it for non-disruptive editing for whatever reasons. It's also worth noting that a lot of 'users' don't even have people behind them on a typical home system.
It would be DRM if RO access meant you couldn't edit the copy. Moreover, all current incarnations of DRM would try to get in the way of copying files in the first place (usually by having the file behave differently on other systems). DRM is for enforcing artificial scarcity, permissions are for keeping systems intact and protecting private information on shared systems. I suppose you're going to call passwords DRM, too?

I'm not really in disagreement with the post as a whole, but the first paragraph really made me cringe.

Re:Of course vulnerabilities are defects

[Opportunist]

... or legal telling you it's a good idea to include flaws in the design, so people can't sue.

No jokes about legal department being a mental defect, ok?

Re:Of course vulnerabilities are defects

[TheLink]

Wouldn't OSS authors be liable under the law as well?

If you design a bridge for free and there's a defect so it collapses and kills somebody, would you be held liable?

I don't see how things will become cheaper. Things might become more reliable, but cheaper?

People might stop designing crappy bridges for free (bridges that "sorta work" most of the time). Take PHP and MySQL as examples, they're pretty crap, but lots of people seem to think they work well enough.

We don't sue suse/redhat if there's a problem, but if the law changes, Microsoft and friends might be able to bribe someone to sue Red Hat out of existence.

Re:Of course vulnerabilities are defects

[irqless]

I agree. If security requirements were written into the development spec, there would always be room to hold people accountable, regardless of the development methodology.

Re:Of course vulnerabilities are defects

[lucifuge31337]

but then what do you call design features like windows networking telling you if you got the first letter of your password right, even without the rest of the password, and then letting you do that for the next letter, and so on and so on.

Seem to me that is still a defect. Not in the software itself, but in the software design.

Re:Of course vulnerabilities are defects

[KGIII]

In very basic form one could call passwords DRM, albeit an aspect of digital rights management and not a whole solution. DRM and "copy protection" overlap and the term DRM has some really awful connotations. There is more to DRM than just copy protection however.

The current restrictions (and methods) of the widely used copy protection are barbaric and disturb me greatly. The way that the term DRM has been used has pretty much tarnished its reputation forever and some people have come to the conclusion that all things DRM are bad without actually realizing how much they already rely it. DRM is just access control technology, that's all it is. It is a generic term that some people have associated more closely with the copy protection aspects when it is, in reality, just another layer of security - not just for things with a copyright.

So, yes, to answer your question again. I'd call that ol' password DRM at its finest. It is an example of DRM being used properly and effectively. DRM != copy protection. Copy protection is one aspect of DRM, it is the portion that gets the most noise from the vocal minority but is just one element of DRM.

Re:Of course vulnerabilities are defects

[magisterx]

Defect is nothing more and nothing less than something not working as expected. If something is there by a concious decision is a feature; if something is misdoing, it's a defect. It's as simple as that. Really.

I completely agree with you. The point I was trying to make, and perhaps I did not make it as clearly as I could, is that you can have security vulnerabilities that are not defects. Some, obviously are, but to say they all are does not make sense. Security vulnerabilities can arise because of trade offs in the design. When that trade off is permitting a vulnerability to allow more usability, it may very well be a feature.

When that trade off is accepting a vulnerability due to efficiency of the code or to save the time it would take to fix it, then it is clearly a defect, but it can be a defect that is permitted consciously especially when the program is for internal use only and the users can be assumed to be trusted.

Re:Of course vulnerabilities are defects

[Feanturi]

Yeah, it was quite astonishing the first time I saw an SMB password cracking tool in action. It looked just like how cracking tends to be portrayed in hollywood movies, a flurry of letters scrolling by, freezing one place at a time as the correct letters built the whole password, the whole operation finished in mere seconds. I had always sneered at that portrayal because it should be impossible to crack something that way, since who would be retarded enough to design a system where it would be possible? I got my answer. :)

Re:Of course vulnerabilities are defects

[mrsbrisby]

Wouldn't OSS authors be liable under the law as well?

No.

If you design a bridge for free and there's a defect so it collapses and kills somebody, would you be held liable?

Absolutely, but that has nothing to do with the UCC which covers commerce.

See, when you buy something, you have certain rights; it has to work as advertised, or the seller has to pay damages.

If someone gives you a car that doesn't work, versus someone selling you a car that doesn't work, would be closer to the analogy.

Re:Of course vulnerabilities are defects

Well, I don't see car bussiness to be in bad shape lately.

Someone hasn't been looking, then...

Re:Of course vulnerabilities are defects

[turbidostato]

"The point I was trying to make, and perhaps I did not make it as clearly as I could, is that you can have security vulnerabilities that are not defects."

I saw your point, but I think "the point" now is about the definition of vulnerability. You can go as theoretical as you want but, at the end of the day, more or less the same operational definition I gave for "defect" is just as valid for "vulnerability": if it works as expected, then it's not a vulnerability as it is not considered a vulnerability that your home front door cannot stand against a Tomahawk.

"When that trade off is accepting a vulnerability due to efficiency of the code or to save the time it would take to fix it, then it is clearly a defect"

You said at the top of your post that you agreed with me. Well, no: if you conciously and knowingly accept some vulnerability, my point is that it is *not* a defect. And my point now is that it probably isn't a vulnerability either: in your example, say, authenticating through non-cyphered HTTP (instead of HTTPS) conciously and knowing and accepting the trade-offs is certainly not a defect, nor I'd consider it a vulnerability.

Re:Of course vulnerabilities are defects

[againjj]

And of course no one would want to trade performance for security.

Thread over.

Thread over on the first post. Well done.

No

[blargfellow]

Of course they aren't defects, they should be treated as features!

Re:No

[trolltalk.com]

Since we already call "bugs" defects ... umm ,,, on second thought ...

Seriously, security faults, "bugs", "features" that aren't, etc., are defects. They're mistakes. Errors. They didn't just crawl in there accidently, no matter how much we strive to give them independent life by calling them "bugs" or "random behaviour". Not on deterministic systems like computers.

Potholes

Duh, that's like asking if potholes should be considered defects in a road.

won't change a thing

you'll just have more disclaimers stating "this product does not provide secure services" which will continue to dominate the market because they are cheaper.

Unless you make security defects criminally punishable you will get no traction at all.

No. They'd get sued

[techmuse]

They'd get sued out of existence for shipping defective products. I can't see any company agreeing to label its products in such a way.

wait...what?

[yakumo.unr]

There are companies that DON'T treat security vulnerabilities as defects??

Re:wait...what?

[clarkkent09]

Yeah, weird article. At the last company I worked for (Oracle) any security issues were filed and treated in every way same as any other bugs. That seemed a natural thing, why would you treat them as something separate?

Re:wait...what?

[jd]

Microsoft don't seem to treat scurity vulnerabilities. Mind you, they don't seem to treat defects, either, so I guess they are still treated as the same.

Re:wait...what?

Nice troll; so patch Tuesday each month doesn't exist? Dork. Microsoft actually spends a lot of effort fixing security vulnerabilities. They don't treat them like other defects. Vulnerabilities get a LOT higher priority.

Re:wait...what?

[Nerdfest]

As much fun as bashing them is (and please don't let me stop you), even MS takes security into account early (or at least gives it a nod): 8 Simple Rules For Developing More Secure Code

Companies DO consider them defects

The last company I worked for (a fortune 100 company) considered them defects.
There was a concerted effort to track down and eliminate buffer overflows and other common security flaws.

Then again, after all the cutbacks (including the ones that cost me and my coworkers jobs) I'm sure it's not really a priority any more.

Criminal negligence

[tepples]

Unless you make security defects criminally punishable you will get no traction at all.

I'd imagine that this is already the case for banks, payment processors, medical facilities, and the like.

Re:Criminal negligence

[sowth]

Apparently not. My dialysis center runs all Microsoft OSes, and I've even heard the techs complain about how they were sure they entered info, but it wasn't in the system. Sounds like a familiar problem.

Their system also seems to miscalculate the amount of fluid to be taken off. At first I thought maybe it was just trying to challenge the presumed dry weight which was in the system, but if this were the case, then why have the techs started calcuating it by hand? I have observed this in two dialysis centers, so I would imagine it is happening in all of the dialysis centers owned by the same company.

At any rate, obviously there is a major defect somewhere, and it would be surprising if someone was not killed by it already. If you take off too much fluid during dialysis, it can easily be a life threatening situation. They haven't stopped using this system, which I'm sure they would if criminal or even civil punishments were involved, so I would say no, criminal punishments do not come about due to flaws in medical software.

In fact, how would anyone trace it down to the computer in the first place? Most people assume computers give flawless answers, they just expect them to crash a lot, so if a computer gave an incorrect answer to a calculation or missing information, and that error got someone killed, who would even think to check the computer? They would probably just blame the nurse or technician. Plus I do not think there is a tracking / recording system to tell you what result the computer gave anyway. How would you prove it?

As far as banks and the like, since when have you heard of a teller being arrested for losing a check or mistyping information? It happens all the time, and if the victum can't prove it, then they are shit out of luck. If they can, then the bank just corrects the error. The only time I've heard of bank employees being arrested were for obvious deliberate fraud. It is probably the same way with computer software.

Why is this even a question?

[EdwinFreed]

We've treated potential vulnerabilities in our products, even extremely minor ones, as defects for over two decades now. And we have always given them very high priority.

To the best of our knowledge we've never had a remote exploit vulnerability, but even so we've gone so far as to scrap thousands of freshly pressed CDs a day before releasing them because I spotted a way to get root access through a tricky bit of business with shared libraries. (And that was for something spotted internally - no customer ever reported it.)

The real question isn't whether to treat security vulnerabilities as a defect - of course you do - but - somewhat paradoxically - whether or not to treat them as security vulnerabilities. We were acquired some time ago and have now adopted (and adapted to) various more complex procedures typical of a large company. There's this little box you're supposed to check in our current bug reporting system that says "this is a security vulnerability". The problem is that checking that box fires up a whole lot of extra process that rarely helps and can actually hinder prompt resolution of the problem and getting the fix into customer's hands.

Re:Why is this even a question?

[HalAtWork]

Why is this even a question?

Because it leads to the line of thought that one might hold a company liable for these defects, the repercussions of which would imply large changes both in the approach of software development, in the support of existing software, and in regard of the current state of widely used software.

The real question isn't whether to treat security vulnerabilities as a defect - of course you do - but - somewhat paradoxically - whether or not to treat them as security vulnerabilities.

I think that's a different question altogether...

Re:Why is this even a question?

We've treated potential vulnerabilities in our products, even extremely minor ones, as defects for over two decades now. And we have always given them very high priority.

Go ask your corporate legal counsel what would happen if the law treated software vulnerabilities as design defects.

Re:Why is this even a question?

[Kjella]

Go ask your corporate legal counsel what would happen if the law treated software vulnerabilities as design defects.

Umm... nothing? Last I checked pretty much every EULA disclaimed any liability for defective design along with everything else.

Re:Why is this even a question?

That's exactly the point. What would happen if such disclaimers weren't valid?

Would it make better code? No, because shipping deadlines already rule that roost. Software publishers can release updates and bugfixes whenever they like. If that means pushing something out that's a bit rough around the edges, that's what it means. I'm not saying it's a good decision, only that it rarely has to do with when a product is "done" according to the programmers. Look at open source projects. If you let the developers determine when it's ready, who knows when it'll be released. Businesses, even open source ones, will say, we have an October 2008 target. Make it happen.

Any way you slice it, treating software bugs as product defects would mean less software overall and many more petty, irate lawsuits that don't motivate better products, but rather motivate better liability insurance coverage and higher prices.

Re:Why is this even a question?

[duyn]

I'm not a lawyer, and this is all speculation, but here goes...

Go ask your corporate legal counsel what would happen if the law treated software vulnerabilities as design defects.

Your question is moot. The law already treats software vulnerabilities as design defects. If a piece of software contained a bug that would fall short of the standard of care that a reasonable person would have exercised in the circumstances, you could face a lawsuit for negligence. There is no legal doctrine or statute (that I know of) that says you can't sue over software vulnerabilities.

Luckily, the law sets the reasonable standard of care for software developers rather low most of the time. The stakes aren't as high as designing bridges. The trust isn't as intimate as with doctors. You're probably expected to take about as much care as girl scouts selling cookies--they don't have to be the best cookies ever, just make sure they're not poisoned. The vast majority of the time, the mere existence of a vulnerability won't be enough for a legal action. Especially not when you paid nothing for the software or where the EULA is plastered with disclaimers.[1]

If you're making software to run an airliner, however, the standard of care rises. That's why airplanes don't crash as often as Windows. Most software is not developed under circumstances where a reasonable person would expect, nor would the law demand, such a high level of care. Just don't pretend your software is the second coming of Christ and you won't be sued for failing to perform miracles.

----------

[1] The law will deem people to have read EULAs, even though nobody reads them. It's like how the law treats you as having read those mobile phone contracts that nobody really reads. So, whether EULAs are binding or not, the fact that you've "read" them means you'll be aware (in the eyes of the law) of the disclaimers. This affects the conclusion of whether the software developer fell short of the standard of care.

Vote with your money

[jonaskoelker]

Here's a summary of the article:

Vendors should make their developers work more on security (via money)

Meh. How often are the developers free to choose which parts and aspects of their companies' software they want to work on? As long as the companies tell their developers what to work on, here's the easy way: tell the devs to work on security testing and fixing. Letting the developers manage themselves is not going to sit well with management types, so you almost always have developers who are told what to work on.

Also, if anything external to the way you work (i.e. the promise of more money) can make you work better, you're slacking off in your daily work: why don't you deliver peak performance without the extra money?

Re:Vote with your money

[fastest+fascist]

Also, if anything external to the way you work (i.e. the promise of more money) can make you work better, you're slacking off in your daily work: why don't you deliver peak performance without the extra money?

There's two ways to look at performance vs. compensation. Employees, ideally (at least from the employer's viewpoint) will look at it the way you do: you're being paid to do your best, so you should need no extra incentive to do so. Project management, on the other hand, should be pragmatic about it. Sure, employees SHOULD do their best no matter what, but maybe cash incentives can add motivation. If that is found to be the case, a good manager will choose results over principles.

Re:Vote with your money

[magisterx]

Also, if anything external to the way you work (i.e. the promise of more money) can make you work better, you're slacking off in your daily work: why don't you deliver peak performance without the extra money?

Once again, due to trade offs.

I have had jobs where for several months at a time I worked for 15+ hours a day, every day and that was the minimum some weeks exceeded that substantially. That job got the very best I could give. That was a job where whether people lived or died could be impacted by the quality of my work and the pay was also commensurate with the hours. During that period, I did very little that was not related either to my job or to the physical maintenance of my body. I did not take college classes, did not get certifications, never saw my family in person and spent only a limited amount of time on phone/e-mail keeping in touch with my family. That was my peak performance.

At my current job I work between 45 and 65 hours a week depending on the office tempo and do not at all consider it slacking off (if my boss does, he hasn't said anything). I am not making anywhere close to the pay I was making at the other job, but I see my family, have completed computer certifications, and am preparing to start grad school part time in a month. If a company wants me to give up my time with my family and my ability to pursue personal development, I can certainly be persuaded, but it requires the right motivation. For me to do that again, it would take either a situation where people's lives/health were on the line or a salary high enough to compensate me for what I am giving up, or preferably both.

Re:Vote with your money

[jonaskoelker]

That's certainly a nice anecdote, which points out my unstated premise (which I thought was obvious): that I'm talking about differing levels of quality of work done in the same amount of time.

Re:Vote with your money

[jonaskoelker]

If that is found to be the case

I'm waiting for you to google up someone to cite on a verdict ;)

Seriously, that would be interesting to know: how well does cash make people work better, and how does it depend on the "price structure"...

Re:Vote with your money

[magisterx]

But even if that is what you are talking about, that is not what you can get by offering more money.

If someone normally works 40 hours a week, but they can legitimately get more money by meeting certain quality goals, then they will often happily work longer to meet those goals and get the extra money. It provides them the incentive to stay late and come in on weekends and get things done even if it takes longer.

Re:Vote with your money

Here's a summary of the article:

Vendors should make their developers work more on security (via money)

Meh. How often are the developers free to choose which parts and aspects of their companies' software they want to work on? As long as the companies tell their developers what to work on, here's the easy way: tell the devs to work on security testing and fixing. Letting the developers manage themselves is not going to sit well with management types, so you almost always have developers who are told what to work on.

Also, if anything external to the way you work (i.e. the promise of more money) can make you work better, you're slacking off in your daily work: why don't you deliver peak performance without the extra money?

This falls in line with the authors original message. He mentions the use of Secure SDLC and training to make developers better, than suggests the use of positive reinforcement over negative.

In fact, the company McFeters works for, Ernst & Young, did a pitch for us on Secure SDLC where it was made very clear that the process should involved the developers helping to decide what should be programmed. For instance, if developers notice a major flaw in the business requirements phase, they can kick back to the business and help make a more educated decision. Now, of course the business could always say, screw you devs, do it anyways... BUT, then it is documented. So when it comes time to take away some bonus money, it comes out of those in the business who made the flawed decision. OR, conversely, you could reward the devs who pointed out the potential issue for their find.

Yes

[maz2331]

Yes, they are defects.

That said, there's one caveat to it: WHO'S defect is it? If the defect comes from a licensed library, OS issue, or other hidden cause, then that defect belongs to the source author/vendor.

Sometimes you end up having to work around someone else's crap.

Re:Yes

[Sique]

But that's no different to any other product. Buy defective capacitors from a manufacturer for your product, and your product blows up because of them: It's your responsibility to recall the product and replace the capacitos.

Re:Yes

WHO IS defect is it? YOU ARE IS defect it is!

Intentional misuse

[asc99c]

If a user was intentionally mis-using software I had written, I wouldn't consider it a bug. Although a vulnerability is generally mis-use by someone other than the owner of that piece of software, I'd still have to conclude it's not a bug. If I'd built a car, I would be more than a little annoyed if I got the blame that someone had broken into it and run someone else over with it.

I think it needs to be left to the market to decide what is acceptably secure software. Many Ford cars from the early 90s had locks that were far too easy to break - just stick a screwdriver in and it opens - even did it myself when I locked the keys in the car once. They got a bad reputation, and Ford improved the security to a level the market was happier with.

The market in software doesn't work quite as well as for cars unfortunately, but that's another issue.

Re:Intentional misuse

[John+Hasler]

You might want to read up on merchantability, implied warranty, and fitness for use. These legal concepts apply to cars and other tangible goods but not to software. They should.

Re:Intentional misuse

[dvice_null]

> Although a vulnerability is generally mis-use by someone other than the owner of that piece of software, I'd still have to conclude it's not a bug

So if you would write e.g. an FTP-server and user would setup that anonymous users have no write permission (read only). And then someone would as anonymous user send invalid command, which would cause a buffer overflow and corrupt the whole file system. You would not consider that a bug, because someone had just misused it by using a non-standard command?

Re:Intentional misuse

[asc99c]

They do apply to software. EULAs in most places at least are pretty much unenforceable nonsense. If software doesn't do it's job, you can return it for a refund.

Most software vulnerabilities are caused by inputting in random or intentionally malicious data. Continuing the car analogy, I can go a pour sugar (or worse) into a car's fuel tank and it will break the car (or explode and kill someone depending what I used). That isn't a bug. If I do this to my own car I'm completely to blame for my actions, and if I do it to someone else's car it's a crime.

The same should apply to software. I think in fact there are already more demands on software than tangible goods. It's pretty easy to get confused and put petrol in a diesel car - especially if you've got one of each :) Its an easy mistake to make, but the same sort of thing in software would be treated as a bug.

Re:Intentional misuse

[John+Hasler]

> They do apply to software. EULAs in most places at least are pretty much unenforceable
> nonsense. If software doesn't do it's job, you can return it for a refund.

I'm not talking about EULAs. I agree that they are largely unenforceable. As far as I know in the US what is warranted is the tangible goods: the physical copy. If the CD is scratched you can insist that tney make you whole by replacing it with a good one or refunding your money but the software can be buggy as hell as long as the copy arrives on your computer intact.

Re:Intentional misuse

[paratiritis]

If I'd built a car, I would be more than a little annoyed if I got the blame that someone had broken into it and run someone else over with it.

It depends. If the user left the car unlocked, then sure. If the car was stolen because it had a defective lock (either one you manufactured, or because one of your suppliers messed up) then yes, it is your fault.

I think it needs to be left to the market to decide what is acceptably secure software. Many Ford cars ... were far too easy to break

A bit too simplistic, I think. Take prescription drugs. You want these tested and approved because the average buyer (patient or even doctor) is not qualified to judge their efficiency, so they cannot judge cost/benefit accurtely. They need standards to guide them. Similarly in software neither users or general IT professionals can judge the full security features of all available products. Again, they cannot judge cost/benefit accurtely, therefore they also need standards to guide them. Failure to meet these standards should then be considered a defect.

Re:Intentional misuse

[asc99c]

I suggest leaving it to the market to decide precisely because of this sort of issue - an FTP server designed to be openly accessible shouldn't have this kind of vulnerability. Users wouldn't accept this sort of problem, so yes it should be treated as a bug.

Even so, sending a few Kb of malicious data down to the server is hacking and the legal 'blame' for this should be with the hacker not the developer.

But not all software is subject to this requirement. Probably the majority of applications developed run within firewalled corporate networks and do not need to be designed with security as such a prime factor.

Re:Intentional misuse

[asc99c]

I think this is a good point. I can't really think of any other goods of the same level of complexity as software, that are not regulated and produced according to strict standards. However the cost of failure in software is relatively low - at least in the sense that it can be measured in dollars rather than lives.

Re:Intentional misuse

[paratiritis]

I agree with you here. I was talking about the principle, not the severity of the faults. And probably this is the reason there is not much pressure to change this.

Of course there are exceptions. The space shuttle, nuclear reactors, even banks that move billions each day. These can have some pretty costly (in terms of both life and money) failures. But they are so few, they cannot pull the IT industry in this direction. They make great headlines and are then mostly forgotten.

Re:Intentional misuse

[mrsbrisby]

I suggest leaving it to the market to decide precisely because of this sort of issue

Justify that.

This issue is presently a public-relations problem with public-relations solution. So far, the strategy is to convince the user that they did something wrong and need more software. This works because the user tends to be under-educated, and because both competent and incompetent programmers are lock-step on message: programming is hard, you can't do it, and everyone makes mistakes.

I reject this premise, so I reject that the market should figure this out. We don't let anyone practice medicine and let the "market figure it out", nor do we let anyone practice law. Nor university professor, nor even the sale of many goods is possible without license, understanding and oversight.

Programming is hard; people have to be very clever, and have a very strong background in critical thinking, rigorous reasoning, and the scientific methods. Any programmer who says otherwise is incompetent; competent programmers do not make buffer overflows. Period.

Bonuses for good developers?

[Frekko]

Bonuses based on code "quality" and or quantity has been tried before. It simply does not work. Counting the number of security issues some guy makes does not necessarily mean he or she is a good developer. It depends on several factors:
- difficult or simple code
- amount of code written
- where in the application does the developer code? Some code is more likely to result in security issues.
- how well that person knows the code

Re:Bonuses for good developers?

[dave420]

Unfortunately, from my experience of bosses, that will quickly change to "Penalties for Bad Developers", which will destroy morale and make most of their developers, including their good ones, walk. Many bosses seem to prefer to punish undesired behaviour than reward the positive.

Absolutely

[cryptoluddite]

As a software developer I spend about a quarter of my time rewriting code that one of our other developers writes. His code is like a rhesus monkey came in and started flinging shit all around. He 'keeps up' with the other developers because he does the absolute minimum, never ever rewrites code to fix problems, cuts and pastes, etc. One time he cut and paste a second copy of a 200 line function so he could change one loop constant.

There's lots of developers like him, and they and/or their company should get sued over that code. At least when it is from negligence. Or there should be a licensing requirement.... something so that the people who are irresponsible or incompetent are held responsible for it.

Pretty much the only thing that makes programming not worth while is that people can hack out a 80% working code, get credit for it, then move on and leave all the crap for competent developers to fix. I would gladly pay a malpractice insurance fee if it means less having to deal with bullshit code.

Re:Absolutely

[Dahamma]

Tell me you are not so desperate for a job that you would spend 25% of your time fixing a coworker's mistakes? Bring it up with your manager, have his faults explained to him, document it over a month or so, and fire him if he doesn't get better. If the company doesn't agree to hold your coworkers accountable for their work, leave. There are plenty of other companies that do.

In fact, if you haven't already tried the above suggestions, the problem is almost as much your fault as anyone else's.

Re:Absolutely

[cryptoluddite]

Tell me you are not so desperate for a job that you would spend 25% of your time fixing a coworker's mistakes? Bring it up with your manager, have his faults explained to him, document it over a month or so, and fire him if he doesn't get better.

Because the other 75% of the time I get to code awesome stuff. He's friends with the CEO and went to college with a good portion of the company, so licensing or liability would help -- but your suggestions would not, Mr. Know-It-All.

Customers

[xstonedogx]

No matter what tricks you try to use to get your developers and others to focus on security issues, it is going to cost money. Denying bonuses won't help because your developers can always leave and work for a competitor who doesn't play that game. And you'll still have to fix those vulnerabilities.

The solution is to ask your customers. Given the choice between a more secure, more expensive product and a less secure, less expensive product, which will your customers choose? Once you have the answer to that, you'll have the answer to whether you should think of security vulnerabilities as defects or a price-reduction feature.

Black robes and Black Hats

[starglider29a]

I dare say that MOST developers do NOT know how to combat the most heinous, or even the most common hAx0Rz tricks. I've never triggered a buffer overflow in my life (on purpose).

To make software bullet proof requires the developers to have the skills of the hackers and malware writers, and the resources, the secret handshakes, the underground culture.

Yer talking one of two scenarios here:

1. PhD in Software security *by the time you got it, it'd be obsolete.
2. sending "nice" developers to infiltrate the black hat world.

Email me when that works out for ya~

Re:Black robes and Black Hats

[dvice_null]

Actually you really need just one person in the company with "haxor" skills to test the security of the products that others make. A single person can very quickly find a lot of common holes. That person doesn't need to a developer. He/She can be there just for testing or even just for supervising others that make the testing, to make sure that they test for security vulnerabilities also.

Re:Black robes and Black Hats

Do you believe, that that one guy will be able to catch *all* bugs? Remember, that the attacker needs to find only one bug. Every developer should know how to write secure code. It's unbelievable, that most CS students have no such lecture during their whole university career...

Re:Black robes and Black Hats

[Nerdfest]

Security is the responsibility of all developers and all _designers_. A lot of problems creep in very early, so it's something people just need to learn. Luckily, there are courses.

There are also tools, both OSS and commercial to analyze source code. All of these things help, and everyone should be using at least some of the measures available.

Re:Black robes and Black Hats

[FormOfActionBanana]

OK, you and your parent post are both saying ridiculous things.

The security person or security team do not need to be skilled at exploiting software OR hang out with shady characters in order to identify and remediate security vulnerabilities.

You can download or buy a security focused static analysis tool, for starters.

You can buy a penetration (dynamic analysis) testing tool that can sometimes uncover stuff static analysis misses.

You can learn up on secure coding principles without having to become an elite anything. A lot of software security comes down to not doing a small list of bad patterns.

I'll give you the first lesson for free. Validate all user inputs; make sure no input can have an unbounded length.

My employers wrote a book called "Secure Programming with Static Analysis." It's a pretty good read.

Generic unrelated subject

[jonaskoelker]

Everybody, please laugh at the subject of my post which has no relation to its contents ;)

What I meant to write when I wrote the subject is that, from the point of view external to the organization developing insecure software, you are, according to the wisdom of the /. masses, supposed to vote with your wallet.

Yet, how's that expected to take place? To apply some of Schneier's observations, you have multiple parties, each with their own security agenda; the sysadmin might want the most secure option because anything less will be a nightmare to maintain, whereas the phb will want the cheapest because that'll make him look good in the eyes of those who set his salary.

Guess who makes the purchasing decision. Guess which security agenda will be reflected in that decision. Sometimes, the insecure option will be the cheapest even when the cost of bad security has been factored in.

Also, consider the fact that writing "perfectly secure code" is hard and time-consuming, and thus expensive. Given that it's hard enough to write reasonably non-buggy code when there's enough of us, what does that predict for security issues? Now add in the variability in skill level of the developers, and the varying experience with the particular code base they work on.

TFA Author is Inexperienced

[awitod]

"The problem of course is I'm saying how the companies should handle them, and I have no authority at any of these places, save people actually valuing my ideas. Personally, I've done some development in the past, and there was the concept of defects. Your bonus would depend on how many defects were in your application at delivery time. These were feature-based defects, but shouldn't vulnerabilities be considered defects as well?"

So, the author freely admits he is neither a developer or a manager. If he was a developer he'd know that these are defects and everyone treats them as such.

If he was a manager, he'd know that one of the surest ways to wreck a good shop is to start doing comp based on defects. Here is what invariably (in my experience) happens when a shop includes defect counts in there comp plans.

1. Relationships between Dev, QA, Product Management and Operations get worse because the terms 'defect' and 'bug' become toxic. In reality these things always exist in software. The last thing you want to do is create barriers to dealing with them. Making the acknowledgment of a defect cost someone money means you will have arguments over every one of them unless they cause an out right crash.

2. Culture becomes overly risk-averse - No one wants to take on difficult problems or blaze new territory. The smartest people will naturally pick the easiest work to minimize the risk of defects.

3. Over-dependence on consultants - More CYA behavior. If it's too complex people will outsource to keep the defects away. This is a very bad thing if the nasty problems are because of business and not technical challenges. Now the people who know enough about the problem domain to understand the risk are hiring proxies who know nothing to avoid responsibility for 'defects'.

Re:TFA Author is Inexperienced

You are right. That's why that are "writing" about the subject rather than participating.

They have no skills that I can detect, which appears to be their experience level too.

Re:TFA Author is Inexperienced

What's even worse (and I've heard a story about this actually happening) is compensating people for fixing defects. What you get is programmers putting in errors on purpose, "finding" them a week later, fixing them and racking up huge bonuses.

Re:TFA Author is Inexperienced

[jesterzog]

Here is what invariably (in my experience) happens when a shop includes defect counts in there comp plans.

So far I've been fortunate enough not to have worked in such an environment. If I did, though, I could imagine that there would be a lot of motivation to fix the minor, easy-to-address defects such as "text is a slightly incorrect shade of gray", and ignoring the larger, more complicated defects that take longer to solve and might be orders of magnitude more serious for the end product. I guess this is partly related to your second point.

Treating security issues as defects depends on...

[SamP2]

...the nature of the security issue.

A defect, by definition, is an unintended behavior of a program. Something was designed to work, but for whatever reason, doesn't. Compare this to a lack of a feature, which means that something doesn't work because there was never the intention for it to work in the first place.

A buffer overflow or SQL injection related issue is almost definitely a defect, since there is a dedicated, designed parsing mechanism to process input, and if some types of inputs are not processed as intended, it is a defect of the software.

On the other hand, for example, a security issue arising from plaintext transmission of sensitive data over the net, is not necessarily a defect. If the site in question was never designed to use SSL or another encryption mechanism, then it's a lack of a feature. If the site in question is an online banking site, then it is a blatantly poor and inexcusable design shortcoming, but nontheless, not a defect. (Of course, if the site DID intend SSL to work properly, but for whatever reason there is a hole allowing to crack or circumvent the encryption, then it IS a defect).

Besides, assigning a "defect" status to a security issue is not necessarily useful for it's own sake. The understanding is that a responsible company should treat a security issue with much higher priority than a non-security related one, defect or not (compare "we released an emergency hotfix to download" to a "we'll ship the patch in the next release cycle"). Saying a security issue is a defect, is like saying that a cardiac arrest is "organ numbness" - true, but not very useful.

Wouldn't matter what you call them.

[nurb432]

The EULA's exempt holding the software maker for defects in their products anyway. Be them security holes or total meltdowns.

Re:Wouldn't matter what you call them.

[Khyber]

EULAs are unenforcable in California, which is why VMware, among other companies, has in section 8 of their EULA "This EULA will be governed by California law."

So us Californians are safe. No EULA can go against a law.

Re:Wouldn't matter what you call them.

[nurb432]

In that case, id would forbid sales of my software in that state without written pre-sale contract.

Just to protect myself.

Re:Wouldn't matter what you call them.

[Khyber]

Too bad most major software companies have HQ here in California. They'd be SOL.

Edward Deming would disagree

[stephanruby]

ZDNet Zero-Day blogger Nate McFeters has asked the question, 'Should vulnerabilities be treated as defects?' McFeters claims that if vulnerabilities were treated as product defects, companies would have an effective way of forcing developers and business units to focus on security issue. McFeters suggests providing bonuses for good developers, and taking away from bonuses for those that can't keep up. It's an interesting approach that if used, might force companies to take a stronger stance on security related issues.

When I think of defects and total quality management, I think of Edward Demings.

Edward Demings saw the problem of defects as a systems issue, not an individual performance issue. And his theory was that paying someone based on performance would have the unintended consequence of increasing the number of defects, not decrease them (Here is the list of Deming's 14 principles with my emphasis added in bold).

Deming offered fourteen key principles for management for transforming business effectiveness. The points were first presented in his book Out of the Crisis (p. 23-24)[19].

1. Create constancy of purpose toward improvement of product and service, with the aim to become competitive and stay in business, and to provide jobs.
2. Adopt the new philosophy. We are in a new economic age. Western management must awaken to the challenge, must learn their responsibilities, and take on leadership for change.
3. Cease dependence on inspection to achieve quality. Eliminate the need for inspection on a mass basis by building quality into the product in the first place.
4. End the practice of awarding business on the basis of price tag. Instead, minimize total cost. Move towards a single supplier for any one item, on a long-term relationship of loyalty and trust.
5. Improve constantly and forever the system of production and service, to improve quality and productivity, and thus constantly decrease cost.
6. Institute training on the job.
7. Institute leadership (see Point 12 and Ch. 8 of "Out of the Crisis"). The aim of supervision should be to help people and machines and gadgets to do a better job. Supervision of management is in need of overhaul, as well as supervision of production workers.
8. Drive out fear, so that everyone may work effectively for the company. (See Ch. 3 of "Out of the Crisis")
9. Break down barriers between departments. People in research, design, sales, and production must work as a team, to foresee problems of production and in use that may be encountered with the product or service.
10. Eliminate slogans, exhortations, and targets for the work force asking for zero defects and new levels of productivity. Such exhortations only create adversarial relationships, as the bulk of the causes of low quality and low productivity belong to the system and thus lie beyond the power of the work force.
11. a. Eliminate work standards (quotas) on the factory floor. Substitute leadership.
    b. Eliminate management by objective. Eliminate management by numbers, numerical goals. Substitute leadership.
12. a. Remove barriers that rob the hourly worker of his right to pride of workmanship. The responsibility of supervisors must be changed from sheer numbers to quality.
    b. Remove barriers that rob people in management and in engineering of their right to pride of workmanship. This means, inter alia, abolishment of the annual or merit rating and of management by objective (See CH. 3 of "Out of the Crisis").
13. Institute a vigorous program of education and self-improvement.
14. Put everybody in the company to work to accomplish the transformation. The transformation is everybody's work.

Re:Edward Deming would disagree

will you please just shut the fuck up? haven't you been clued in that no one is interested in what you have to say?

Re:Edward Deming would disagree

[tuomoks]

As would I, not that it matters.. You take, point by point, Edward Demings list and compare it to any software company practices! What do you get - a total mismatch, because it would break the management structure (and lower the next quarter profits - maybe?)

Part of blame goes to the consumer! There was a time when I was able to get an answer and often a fix in 12 hours from vendor. And they better - otherwise our ($1 million in 70's) monthly license payments somehow created the same problems, got lost, whatever. Of course you are holding you license payments today as long as there are obvious, not fixed problems in product?

Later, moving to vendor side, I was told not to hurry, we have more important things to do, as another week of meetings how to have better quality (I learned a lot of new acronyms and abbreviations, mostly made for inside use by some managers?), or told that actually it is a feature caused by "cost savings" and already in plans to change, maybe? And the customers, most of them, seemed happy with those answers, of course a little edited for customer use! And they bought the line how difficult and expensive it is to fix so it takes time - sorry?

Of course a customer is different, try that with your own management - I'm looking the problem, it takes time to analyze, to schedule the change to my workload, to find a good and correct solution, to develop and to test it, to figure how to incorporate it and the new documentation to the product and then to deploy it? Should work, if not, learn marketing and sales tactics!

For some answers which seem to assume that a person in assembly line, developers, etc, can do anything to change the process - go and get a job, maybe after a while you are not any more so sure how the current world works?

Re:No. They'd get sued

[nine-times]

The article (at least in my reading) isn't saying that they should be held legally accountable as selling a defective product. Instead it's about how companies should approach a bug report of a vulnerability. He's saying, when someone reports a vulnerability, consider it something that you're obligated to fix, not as a feature request.

But then, I think most people do. It seems like he hit a bad support person.

I ran into a similar problem once with Citrix, actually. Their software was relying on some library that it assumed was installed, even though recent Linux releases (at the time) had stopped using that library. The result was that the software didn't work until you tracked down that library, dropped it in the right place, and then it worked fine.

So I went to their website to give feedback, just to let them know. I mean, I'm sure they would have figured it out, but I thought, "may as well give them a heads up" because it was happening on major linux distros almost a year after their release. Citrix had released several updates to their software, and never fixed this problem. I couldn't find anyplace on their website to provide feedback, except for a form to give feedback about the website itself.

So I wrote up a little feedback, trying to explain the situation briefly (i.e. "I wanted to drop some feedback to your development team letting them know there's a problem, how to fix it, but I can't find any contact information on your website. Is there any way to submit this sort of feedback). The response came back quickly, "If you want support, you'll have to pay for a support contract."

I wrote back again, trying to explain, "No, see, I'm not looking for help, I'm trying to be helpful. I'm letting you know that there's a problem I already know how to fix. I was just wondering if there was a place to submit this sort of feedback."

Again, the response came in, "I'm sorry sir, but if you want us to help you with this problem, you'll need to buy our support contract."

At that point, I gave up.

tracking vulnerabilities

[Presto+Vivace]

Security Tracker, best source of information on security vulnerabilities that I know of.

Management is usually to blame

[tukang]

companies would have an effective way of forcing developers and business units to focus on security issue

I don't think developers need to be 'forced' because generally they understand the importance of making their software secure and if they don't do it then it's usually due to external pressures such as unreasonable deadlines and management not wanting them to spend time on something that does not have tangible results.

In short, the problem with a lot of companies is that management doesn't value security as much as it should. If they did then they probably would handle vulnerabilities as defects - but then again a lot of these vulnerabilities would have been prevented to begin with by giving developers sufficient time to properly design and test their code.

Should they?

[XanC]

These legal concepts apply to cars and other tangible goods but not to software. They should.

Would that not destroy hobby software, and much of OSS and Free Software along with it?

Re:Should they?

[John+Hasler]

No. The UCC is about commerce, and consequential damages can be and usually are disclaimed. If I make a free gift to you of a copy of my software and it turns out to be buggy how can you sue me for selling something defective? On the other hand if you sell a copy of my (GPL) software to someone else they should be able to sue you if it proves to be defective.

Re:Treating security issues as defects depends on.

[cjonslashdot]

You are correct. A security vulnerability is a defect if and only if the defect represents a failure with respect to a requirement. In fact, security is but one dimension of reliability, and so if the vendor is responsible for reliability, then the vendor should also be responsible for security. If there is no requirement for security, then it is not a defect. One of the posters mentioned that software that is sold for the intended purpose of general use on the Internet carries with it some implied requirements. (Merchantability.) Thus, just because the requirement for security is not explicitly stated does not mean that it is not there. If security is a requirement for a given environment of use, then a vulnerability is a defect, by definition. And yes, producers of software should be accountable in some manner for any and all defects, according to the terms of any explicit or implied warrantee.

Read the EULA

The people who produce and sell software already thought of this. The EULA goes to great lengths to try to absolve the maker from any kind of liability. In fact the data sheets for chips have wording that says the chips are not for use in any application where human life may be at risk.

If I were seriously damaged because of defective software or hardware, I would expect my lawyer to argue that the manufacturer had at least some liability. Microsoft, in particular, has very deep pockets though and I wouldn't be willing to spend much money fighting them. What I would hope for is that the threat of bad publicity would cause them to give me some money to shut up.

Anyway, as far as treating exploits as product defects, ... good luck.

Re:Read the EULA

[mysidia]

If I were seriously damaged because of defective software or hardware, I would expect my lawyer to argue that the manufacturer had at least some liability. Microsoft, in particular, has very deep pockets though and I wouldn't be willing to spend much money fighting them. What I would hope for is that the threat of bad publicity would cause them to give me some money to shut up.

They may have deep pockets, but that should actually makes them potentially more vulnerable -- say to class action, or similar, as MS are perceived as the big corporate bullies/bad guys.

Trying to get away with making dangerous products... (bad PR)

They're a business, and unlikely to want to spend millions defending themselves and their good will, when they can settle for a pittance and safe face.

The only reason they'd want to spend more defending than you stand to make out of them (if they lose), is to avoid the potential embarrasment of losing, the precedent it could set, if their EULA's liability limitations didn't hold up, and desire to make an example of the case (to dissuade people thinking about bringing similar cases in the future).

Respect their desires, and you can probably reach a deal, if a M$ product ever causes you real harm.

Already are

[spazoid12]

"McFeters suggests providing bonuses for good developers, and taking away from bonuses for those that can't keep up. It's an interesting approach that if used, might force companies to take a stronger stance on security related issues."

They already are considered defects. The only thing that might change is the prioritization of defects. This topic is ridiculous.

Bonuses? Are you suggesting bonuses for finding defects? In 20 years I've worked at only once place that awarded bonuses for resolving defects. The idea failed within weeks. I thought everyone had come to realize it was a bad idea and for obvious reasons. Must be a new generation of devs taking to the reigns and retrying old dead ideas.

You know what force[s] companies to take a stronger stance on security related issues? The consumer. Assuming the consumer knows anything and isn't just buying the same thing his cousin did because his cousin knows a guy who knows a guy who is a half-wit "computer consultant". Too many community college consultants out there...

Re:Already are

[mysidia]

Bonuses? Are you suggesting bonuses for finding defects? In 20 years I've worked at only once place that awarded bonuses for resolving defects. The idea failed within weeks.

Bonuses for having fewer than normal defects with your code makes sense.

Bonuses for finding defects made by some devs on your team are too easily abused... by devs "accidentally" introducing known bugs to help buddies collect the award a few days down the road.

And the "super-productive" cheaters+conspirators get praised while the honest developers seem unproductive and get canned.

Now if all devs are assigned bonuses and the defect finder gets part of the responsible developer's bonus (the developer responsible for the defect loses $2 of bonus for every $1 the defect finder gets), then that's more workable.

Great Idea On Paper...BUT...

[darkPHi3er]

In the RW, i'd suggset that we should consider the following;

You are Programmer Sian (notice the trendily androgynous name), you work for a gigantic software company, or conglomerate or industrial that does all its own major development inside, you are potentially confronted with;

1. Antiquated Developer Tools -- in general, the larger the development environment, unless you're Disgesting Your Own Pet's Nutrition, you are very likely to be using multi-year and/or multi-generation old development platforms and tools.

The question here is then, how can you effectively hold poor Sean accountable for vulnerablities, that are intrinsic to many older tools?

Who's more accounatable here? Sian or the managers who make the procurement decisions?

2. "Science Fiction" Application Programming Interfaces - depending on whether you are programming on a well-established product or not, if you are, Poor Sian is probably stuck with API's that were developed many years before and have been the victim of Design Creep, and its, Lunatic Cousin, Design Implosion.

In many instances the APIs, while they may once have had a large degree of Paradigmatic and Philosophic Design Integrity, as their initial Designers and Implementers have moved on to other; products, companies or, Worst Case, Inpatient Mental Health Facilities. Many New Designers have come in to add "Their Own Programming Uniqueness" to the APIs, frequently rendering the API's a jumble of radically different approaches to similar algorithms.

Should Sian be subjected to having their pay docked because 9/10 Functions implement a Library Call one way, and some "Johnny-Come-Lately" API function implements a similar looking, but substantially different in output function?

Shouldn't the API Designers/Architects be held more responsible for this one?

3. PHB Stupidity - As QC forwards endless application/OS defect notices to the Development/Maintenance Team, these defects are reviewed by the Team Managers and Supervisors. It's understandable, given the 11 hours per day of Absolutely Vital Meetings that most PHBs love to, i mean are forced to attend, that Defect Prioritization will suffer.

Sian can't choose what defects to repair, and in what order to repair them.

This is a management function, and one, in my experience, that Mgt usually jealously and zealously guards.

SOOOO, it's been the case in every Development project that i've worked on and know about, that PHB's have a well-understood tendency to prioritize Defect repair, according to external pressures, especially from Sales and Marketing.

Sales and Marketing organizations are usually likely to priortize according to their immediate impact on quarterly projections.

Vulnerablities are only likely to affect quarterly results when they are CATASTROPHIC defects, i.e. App or OS Killers. Otherwise, the majority of vulnerablities, which are usually well submerged in the Defect numbers, tend to get shoved aside for the higher priority defects that S&M believe impact immediate sales.

There are numerous other considerations here; including Contract Programmers, Legacy Compatability (ask the Vista Team about that one), Vendor Driver Teams that don't even know what to do with a new code base, etc, etc..

But it seems to me, that, while financial incentives CAN BE, useful as a Mgt tool for improving product quality, they should, to be even-handed, applied across the entire product team, with specific ***POSITIVE*** incentives used to take care limited, high priority problems across the product line.

There's already a tendency to "blame the programmer", and my Best Guess is, that any attempt to lay the responsiblity for vulnerabillites, THAT AREN'T CLEARLY THE RESULT OF SLOPPY/POOR/INCOMPETENT CODE PRODUCTION, at the feet of the programmer, will merely increase the employee turnover in the Development Team. Something that already is a problem most places.

from my experience: "The Fault, Horatio, Usually Lies Not In Our Code, But In Our Process"

Re:Great Idea On Paper...BUT...

[paratiritis]

from my experience: "The Fault, Horatio, Usually Lies Not In Our Code, But In Our Process"

Well all right, but the customer doesn't care. The company supplied a procuct that does not work as advertised. Yes probably in this case your Sian does not deserve blame but will tget blamed anyway. The world is unjust, true. But this still means that there was a problem (introduced by managers etc. who don't know and don't care)

How the company fares is the result of the market. If better companies exist it will sink. If not, it will survive. Sian's paycheck and continued misery will be assured. So will further security defects in future software.

Re:Great Idea On Paper...BUT...

[mysidia]

The question here is then, how can you effectively hold poor Sean accountable for vulnerablities, that are intrinsic to many older tools?

You don't. You hold Sean accountable if he makes a coding error or a design error.

If he is using a third-party API/compiler that company has chosen that does not adhere to standards, then you have provided all necessary documentation that effects coding practices, or the coder is not responsible.

If there is a bug in the compiler, then the maker of the compiler (and person who chose that compiler) is responsible, unless you have informed the developer of the specifics of the compiler bug and the decision to include workarounds in the code, then the code is not expected to workaround unknown bugs in the compiler/API/OS/etc.

If there is a bug in a third-party API, then the local developer is not responsible, until informed of the bug and what workarounds to implement.

And only then after developers are provided time to implement the third-party-API-bug workaround and failed to.

Semantics

[InsertCleverUsername]

This reminded me of a funny/ typical/ stupid/ aggravating thing at work a few weeks ago. I pointed out a security vulnerability in one of our intranet apps during a meeting to discuss the next release. Despite exasperating efforts to educate --and a heated argument over the correct term-- a project manager insisted on spreading the word to upper management that we had a "security breach." But in the war with management (and those who THINK they're above us on the org. chart), I guess it's all about the power struggle.

If you don't work with idiots, count yourself lucky.

NO! Otherway Round! Defects _are_ Vulnerabilities!

[refactored]

It's the other way round Dammit!

The vast majority of security vulnerabilities are merely exploits of defects!

How do you hack a system? Find a bug, that's usually pretty easy....

Then you have the system operating already, "not as the designer intended" and you're more than halfway there...just add a bit of creativity and malice aforethought.

Clueless writer dorks should know when to shut up.

[asackett]

The problem of security holes in commercial software products is not one of developer apathy, but instead is a consequence of resource constraint. Which is just a nice way of saying that during the push to achieve an unreasonably accelerated product launch date with a short staff, small things get overlooked by developers, and the big things get overlooked by management.

"Hey, boss, we've got a potential remote exploit here. We can't ship this garbage." "We have to ship. We'll catch it on the first patch cycle." "Uh, boss, we've never before caught anything on the first patch cycle. Why should we expect this one be any different?" "Good question. Here's another: Who's going to sign your paycheck next week if we don't ship this product on time?"

Clueless writer dorks should know when to shut up.

The market is to blame

[asc99c]

Management are trying to maximise profit, and typically don't care anywhere near as much as developers whether the job is done 'right'.

The problem is most buyers of software are way more interested in shiny bits and pieces than the security. If (more) people weren't willing to put up with insecure software, managers would be asking the developers to work more on the security aspects of the application.

Security vulnerabilitiesare not functionality bugs

[Heembo]

Functionality tests are easy to prove through unit and integration testing. Normal users spot functionality bugs quickly during normal product cycles.

However, security bugs are not easy to test or discover. In fact, it's very expensive to do testing to uncover even some easy classes of security vulnerabilities. Normal users do not stumble on security problems like they do with functionality issues.

Also, none of your developers were ever taught anything about application security in college. They professors are clueless. Even Michael Howard from MS who is hiring out of the best universities in the world cannot find a new grad who has any clue how to build secure software.

Functionality bugs and Security bugs are apples and oranges and deserve very different consideration. (Like measurement of Risk, etc)

Last, you can make a piece of software work. But you an never make a piece of software secure, only reduce risk to an acceptable level.

Depends on the vulnerability.

[mysidia]

It a remote attacker is able to exploit a buffer overflow to run arbitrary code via a network service (that's intended to be publicly reachable), then that's a software code defect.

The defect is the buffer overflow that can occur -- the security vulnerability is that the bug can be used by a remote attacker to cause the program to do something that compromises security.

Security vulnerability effects the severity of the bug, but not the fact that it is a bug.

If the vulnerable network service is documented as to be run only behind a special firewall, insulated from any adversary, then it's not a security vulnerability, if it is "exploited", then the exploit was due to the configuration of the software and network (for which the network admin is responsible). There is still a defect in the software code (but independent of security issues that improper system configuration may create).

If the program by default allows commands to be remotely executed through the software, in a normal way, that is part of the product, (without exploiting a bug), then it's not a defect.

Although it may have security implications, especially if the feature is enabled by default and there are no security protections by default.

If the software (that allows remote command execution) has no possibility of implementing security over the feature, and it is intended to provide a network service, then it is a design defect (not a programming defect).

If the software can be secure, but the default is not, then this is no defect -- either the documentation explains how to secure it, and the user is in error, or it doesn't, and the documentation is defective.

Insecure defaults aren't desirable, but they're not defects. The insecure defaults may be very convenient when running the software in a recommended environment where security is not an issue, or security is provided by network equipment (configured according to recommendations of the documentation to disallow untrusted access, say to certain ports, or from untrusted IPs).

McFeters is nuts!

[SwashbucklingCowboy]

I work with the vulnerability management team and product security team at a large software company, and trust me vulnerabilities are treated as product defects. The cost of addressing vulnerabilities in the field is huge, and not addressing them is simply not feasible - customers would never tolerate it.

Re:McFeters is nuts!

[SecureThroughObscure]

I work with the vulnerability management team and product security team at a large software company, and trust me vulnerabilities are treated as product defects. The cost of addressing vulnerabilities in the field is huge, and not addressing them is simply not feasible - customers would never tolerate it.

Haha, then you must not work for Apple or Microsoft.

Seriously though, I think that McFeters is pointing out that in his experience, companies are not treating them as defects, and he also points to an article by Dave Goldsmith that shows some companies are still not treating them at all.

SecureThroughObscure

Should software piracy be treated as theft?

[ClosedSource]

Redefining something rarely changes anyone's behavior.

Vunerabilities aren't defects unless the behavior of the application is inconsistent with it's requirements.

In any case, the solution isn't likely to be found in rewarding or punishing developers, but rather making security part of the requirements and providing enough development and testing time to insure that the software is secure.

Generally the market drives the process rather than software quality.

Re:Should software piracy be treated as theft?

[SecureThroughObscure]

Well, so, I think that McFeters makes the point that he's trying to change the behavior of companies. If they look at this differently, then the adjustments will be made. You mention that "Vulnerabilities aren't defects unless the behavior of the application is inconsistent with it's requirements."

I'd love to think that SQL Injection vulns are inconsistent with it's requirements.

What McFeters is talking about is not just rewarding or punishing developers, it's about changing the stance of an organization as a whole. Basically just what you are asking for.

Pointless

[CyberDog3K]

How many even slightly large software products have you ever seen that have no outstanding defects to begin with? Just browse a buganizer or two. There are thousands of open issues for major apps; some false, but plenty viable, if often minor, "defects." How you refer to a coding or logic error is irrelevant; whether it gets fixed or not is entirely dependant on the dedication of the supporting company, and how they envision it affecting their bottom line.

Re:Treating security issues as defects depends on.

[paratiritis]

On the other hand, for example, a security issue arising from plaintext transmission of sensitive data over the net, is not necessarily a defect. If the site in question was never designed to use SSL or another encryption mechanism, then it's a lack of a feature.

I disagree. What I would conclude in this case is that it is not the fault of the coder. It is the fault of the company that provided the software though.

Such a product would be designed in many stages. You would have an analysis, a design and an implementation phase, where coding is done (possibly in small iterative steps as in extreme programming, but all the steps are there). In this case the analysis, design or both are faulty. This is not the poor coders fault, but the coder was given defective specs, so the defect is there. The coder implemented correctly a defective system.

If the site in question is an online banking site, then it is a blatantly poor and inexcusable design shortcoming, but nontheless, not a defect. (Of course, if the site DID intend SSL to work properly, but for whatever reason there is a hole allowing to crack or circumvent the encryption, then it IS a defect).

Try telling the bank if it loses millions as a result that this was not a defect. This is a sure way for your company to lose all credibility.

DONT DO IT!

Poor Micro$oft would go belly up!

Too broad of a question

[cecil_turtle]

That's too broad of a question; it depends on the vulnerability. If my car's door lock can be bypassed by pulling slightly sideways on the door handle, that's a defect. If I can hold a cell phone over my car's windshield and it triggers the remote door unlock, that's a defect. But if I can smash a car window and climb in through it that's not a defect. If I can use an advanced lock pick set and have 2 hours alone with a car and get in that's not a defect.

The same thing applies in software - no piece of software will ever be impenetrable to every attack. The question is a matter of balance - given the purpose of the software, how much security is expected or required? How much trouble does a malicious entity have to go through to compromise the software?

And for many people the answer to those questions will be different for the same piece of software. That's where layered security comes into place. If I'm worried about my car's window being smashed and somebody climbing in to it, I don't blame the car manufacturer, instead I park the car in a garage. If there is something extra valuable I want to put in the car in the garage, maybe I put it in a lock box.

Well Yah...

[Darkness404]

Well of course vulnerabilities should be considered defects. Even more so, DRM should be seen as defects as that is even in the program's planning. A security hole is a small cut, something that should be patched, DRM is like a gaping wound that will never be patched.

Well ...

Developers who release shoddy products should be treated as engineers who design flawed systems. Unlike engineers, however, the quality of software developers has started to dwindle. What with outsourcing and economic uncertainty ...

Then again, you have to consider that vulnerable programs don't often contain vulnerable code themselves. Some link to vulnerable libraries and so forth. Some vulnerabilities are just so obscure that developers can't anticipate them.

Re:No. They'd get sued

Well then, the moral of your story is: don't buy/use Citrix' products. (I feel for you and I've the done the same when such has occurred to me --i.e., try to help out-- but the most of the proprietary world doesn't doesn't care.)

Re:No. They'd get sued

[arth1]

Very true. Also, the bonus system won't work for two reasons:
1: Security bugs tend to be discovered years down the road.
2: A lot of companies would have to start paying bonuses to programmers, and not just to S&M. That'd never float.

Re:No. They'd get sued

[turbidostato]

"when someone reports a vulnerability, consider it something that you're obligated to fix, not as a feature request."

Why any company in the world would do something like that!!!???

Oh, yes, only if they are legally or financially forced, that's how.

Or do you think any company in the world would rise their production costs for no benefit?

No - they go beyond application level defects

[devloop]

The elephant in the room is that primitive, unsafe tools endlessly perpetuate these problems. Buffer over/under flows are not difficult problems to solve at language design level, but the common tools We currently use to create applications make diagnosing them and fixing them rocket science. C and C++ (and other lesser used languages) are notorious for being hostile to catching these problems at compile time or debugging them when they happen later. In most cases, the problem goes "unnoticed" affecting unrelated functions in the application downstream and incorrect behavior or crashes happen at a later time when they can no longer be traced back to the original cause.

For kicks check http://en.wikipedia.org/wiki/Buffer_overflow#Choice_of_programming_language
Google search on http://www.google.com/search?hl=en&q=%2Bbuffer+%2B%22overflow%7Coverrun%7Cunderrun%22&btnG=Search

Re:No - they go beyond application level defects

[mrsbrisby]

What a load of crap. FORTH is as primitive and unsafe as they come and they don't have to deal with over/under flows the way incompetent C++ programmers have to.

If users knew that there was a corrolation between competence and bug-free and problem-free code, they'd stop accepting crap. Instead, there are a lot of programmers- some good, and some second rate, defending bugs and security problems as mere accidents at worst- the kind everyone makes.

Instead, we have this culture that has convinced the user to accept liability for the failure and weaknesses in the programmer. We have entire companies that sell additional buggy and broken software that promises "protection" from other buggy and broken software- locking the user into an otherwise invisible extortion racket.

Stop letting idiots near a compiler and the bugs will go away. Seriously.

Re:No - they go beyond application level defects

[TheLink]

"What a load of crap. FORTH is as primitive and unsafe as they come and they don't have to deal with over/under flows the way incompetent C++ programmers have to."

One reason is because people hardly ever bother to exploit FORTH programs or if they do they don't usually make so much noise about it. I crashed a forth webserver on my first try. But guess what, who cares. If you could crash Apache or IIS now at your first try, it's worth $$$.

But yeah, C++ is overused. Crappy programmers like me should stay away from dangerous languages like C++. I personally choose to use stuff like perl instead.

1) Too many people think they can write in C++ when probably < 100 people in the world can :).
2) Sometimes there really is no choice - even if you know you're not good enough, there aren't high level languages that are fast AND can do what you want as easily (despite also doing what the hacker wants easily - but the bosses and customers generally don't care about that).

Say you want to talk to the Linux kernel, good luck doing it in Java. If you do it in Lisp, if you ever want to stop supporting the program and do other things you'll have to resign - nobody to replace you.

"If users knew that there was a corrolation between competence and bug-free and problem-free code"

Most users don't appear to care _enough_.

Good luck getting a 100% competent dev team for a price users will pay for.

"Stop letting idiots near a compiler and the bugs will go away"

If you stop letting idiots near a compiler sure the bugs will go away, but there'll be a lot less software out there - PHP or MySQL wouldn't have been made. And look at the vast amount of PHP and MySQL based stuff out there (Slashdot is on MySQL I think).

That stuff "kind of" works, most of the time :).

Recall, fix, and sue...

[maz2331]

...the source of the crapacitors for fraud.

Re:Recall, fix, and sue...

[Sique]

That's an afterthought. First you are responsible for making your product save, even though you didn't manufacture the capacitors.

Ideal vs reality

Ideally, yes all program bugs, and security holes should be treated as defects.

In reality, programs can run to millions of lines of code worked on by hundreds or even thousands of different people.

On a scale that large, no amount of proof reading an double checking will work, there is just too much there. Its why we see beta tests, its an attempt to put their program under real world conditions to see what breaks.

Vulnerabilities are not always defects

[jc42]

If they weren't, they would be in the program design.

"It's not a bug; it's a feature."

That old joke isn't always a joke. Some vulnerabilities are built in, because they were put there intentionally by the designers and/or developers.

This is one of the primary arguments behind Open Source: If you can't get at the code and study it, you don't have any idea what "special features" might be hidden in there. The people who built it could have provided all sorts of back doors for exploitation by themselves or by other customers who have paid them for knowledge of how to get into your system.

Needless to say (but I'll say it anyway), one of the names for such non-bug vulnerabilities is "DRM", which refers to hidden code that prevents you from using your system as you'd like to use it.

Consider also the recent stories about software in Vista and earlier Windows releases that does automatic updates to some system components, even when you think you've turned off automatic updates. This misfeature is there explicitly to allow Microsoft (or anyone who pays them for access) to replace parts of your system with new code. It's pretty clear that this is a "vulnerability", but it's not a "bug" or "defect", because it was intentionally designed into the product.

Vulnerabilities Aren't Defects?

[carlzum]

They may be communicated to the public in a different way, but from a development perspective they're defects. The article's author describes a software vendor treating vulnerabilities as feature requests. This reminds me of Apple's response to the recent Safari "carpet bomb" controversy. Any possible vulnerability is a defect, usually a high priority one IMO.

Re:No. They'd get sued

[nine-times]

What about customer satisfaction, and the financial detriment of losing your customers?

Aw Yeahww!...

Dev1: Yeah, don't check for buffer 0o0verflow
Dev2: So when we quit/getFired()...they can never check all that code
Dev1: ...f'D up there asses...f'D up there asses...

for (i=0; iinfin;i++)
{
  attackIE()
  coverTracks(myIP)
  closeSocket()

}

Re:No. They'd get sued

[InlawBiker]

It's not so much a legal question as a business problem. Vendors are obligated to fix their bug and security holes because they are problems for customers.

I would just leave the courts out of it and let the free market decide. In this particular case, a good response would be: (A) I have reported this to management and we will seek other vendors to suit our needs. (B) I am obligated to report this security hole to the usual vulnerability lists, because since I found it obviously somebody else could too.

If they still don't fix it after that then find another vendor. Eventually, *poof* - bad vendor goes out of business, problem solved.

Because that's idiotic

[holophrastic]

Security vulnerabilities are a backwards way of describing the issue. There are "security issues" and there are "vulnerabilities". If you throw user passwords into the cloud, it's a security issue. If there's a way for someone to hack into your database of passwords, it's a vulnerability.

Vulnerabilities don't get solved -- virtually ever. Vulterabilities get "handled". By that I mean that every "solution" costs something -- resources, performance, interactivity, flexibility, time, something.

For example, the vast majority of the systems I build for customers do not encrypt user passwords, for one very simple reason. When a customer calls and says that they've forgotten their passcode, "resetting it" isn't as good customer service as simply telling them what it is. It's purely a business issue -- the added security of encrypting their passcode is simply not worth guiding them through the resetting process, or changing it and leaving them to wonder what it was. Simply put, they called to ask what their password is. They expect to receive that piece of information. We give it to them. Outside of systems dealing with actual dollars, the security benefit is not important enough.

I always look to the city streets. A typical 6-lane road (well they're typical where I live), has an orange line, four dashed white lines, and two solid white lines. Cars, buses, bicycles, motorcycles, and pedestrians travel in two directions at varying speeds. Absolutely nothing stops me from flicking my wrist to the left and swerving into on-coming traffic causing a huge and likely fatal problem to dozens of people going 80km/h.

If my city streets were a typical software application, would you have me ensure that motorists couldn't hit each other? Rules aren't enough, obviously. Walls and baracades would replace painted lines. You couldn't change lanes willy-nilly. And hey, every traffic light would need to raise tire-spikes? The costs, maintenance, and general complexity of everything and everyone on the roads just boils over.

The roads are built for travelling. As long as the primary focus is travel, it works. Everything else can be on the side-lines, but they cannot become the main event. Yes the roads could be safer, but no it's not worth losing the phone, the radio, the passenger conversation, the freedom, the flexibility, the speed, and the choice that we currently have. You know, it would be a lot safer if everyone drove minivans. And it would be a lot cheaper if everyone rode bicycles. And it would be alot faster if everyone rode motorcycles. But "everyone" and "all the time" just isn't an option in a free society.

The same is true with software. If I can send an e-mail as easily as opening a socket, connecting with my destination, issuing three commands, and transmitting my message, that's a beautiful thing. But now if you make me follow six rules for how and when to do so, lookup eight registries of my destination, dodge content restrictions, authenticate myself, wait for them to investigate me, respond to the investigation requests, respond to challenges, scan my own out-going message, and have them scan the very same message on the other end, all to deliver the very same tiny message, then we've taken a 1K communication and made it a 30K transaction.

Case in point. I do a lot of e-commerce work with a lot of gateways. Some -- the old-fashioned ones -- accept a very simple url-encoded post of name value pairs. Something as simple as an account number, a credit card number, and an amount to debit, they return an approval code. It can be that simple -- 40 bytes sent, 10 bytes received. Others, woah others, demand 3K of xml code to describe dozens of logically optionally yet syntactically mandatory fields, and return 2K of re-iterated information along with the same single approval code.

Sure, when I'm doing something incredibly fancy, the small one becomes just as big as the big one. But 99.9999999% of the time, I just want to charge a credit card. And I

Re:Clueless writer dorks should know when to shut

[zig007]

I agree totally.

Also, the customers aren't prepared to cough up what it takes to make the applications secure.
Some say this is a myth. I'd say that is not.
I have only met a few that even ask questions about application security.
We always try to sell security measures as a part of the solution. It is nearly impossible to make the customers understand without sounding paranoid and losing credibility.

And yes, I work a lot with banks and other similar entities which are supposed to have really high levels of security.
In some areas(that would be those where the government agencies are breathing down their necks), they are really good and and have enormously bureaucratic(verging on PIA) ways to handle that security.
But in almost ALL other areas of their application jungle, they aren't the least better, or even worse, than Joe's accounting down at the corner.

To end on a positive note, I did read a tender invite(i like it that way) for a new thing just the other day that explicitly excluded "office-like" products from being used in the solution.
Not that we neither would, or even could do that anyway, but maybe they are getting it, after all.
However, this is the first time i have ever seen this.

Ponder the implications

[Opportunist]

There is no bug free code. You are dependent on SO many variables, most of them not under your control (your program runs on an OS that you didn't write, was compiled with a compiler you didn't write, runs on hardware you didn't design which uses a BIOS that's not under your control...), that you can never credibly claim your program runs flawlessly. Even any given Hello World has the potential to be buggy, not even due to you. Worse yet, any (but the compiler, I give you that) can change on the target machine at any point in time. And any change may make a flaw come out that you couldn't even test when you implemented the software because the machine that uses a certain flag/spec you didn't account for when you created the software, simply because it wasn't even on the horizon back then.

There are two possible ways commercial software can be done should such a thing be implemented: First of all, not at all. It's an insane risk to be possible responsible for a flaw that's not going to show until the next generation of hardware or OS. Or software becomes insanely expensive due to increased testing and companies using the additional revenue to "insure" themselves against the risk of future lawsuits.

I do agree that the current practice of producing bananaware and abusing the customer as a paying beta tester is despicable, but simply turning around by 180 degree isn't going to solve the problem. There is no black and white solution to this problem.

Re:No. They'd get sued

[turbidostato]

"What about customer satisfaction"

bollocks

"and the financial detriment of losing your customers"

Which part of "legally or financially forced" didn't you understand?

Re:No. They'd get sued

[dcam]

Wow. You'd never expect a significant software company to do anything like that.

Wait... That process is *exactly* the Microsoft process.

Re:No. They'd get sued

[nine-times]

Um... you know the two are connected, right?

how else would you treat them?

seriously! is there any company that treats vulnerabilities as features as opposed to defects?

Oh yeah, let's treat defects as defects!

Vulnerabilities shouldn't be treated as defects, they _are_ defects. Defects of the most critical level. Which possibilities do you have to detect tampered data?

cb

IBM Lotus Notes defect reporting - via postal mail

I don't know if this is still the case, but for several years in this century the only defect reporting system for IBM Lotus Notes was to describe the problem in a physical paper letter and mail it to a P.O. Box. I couldn't make that shit up.

Scrum

There are several problems with the "unknown" factors in software design and result. One cannot fully determine what all features should or should not be in a product PRIOR to its design and completion. I think there is a law about software design that controls this. ;)
However, if the final product deviates from the design spec, i.e. if there are "features" (positive or negative) that end up in the product, then they must be addressed as "feature" or "bug". In either case, the design spec must be visited and altered to include or exclude a specific "feature".
For instance...
Both Space Shuttle disasters happened because the designers - testers - and maintainers all failed to evaluate the "feature" against the specification and make a ruling on if it was a flaw or not.
The bulging rocket seal and the extrusion that occurred in the first disaster...they said, "well it never blew up before..." and that was their excuse for not fixing it.
Or the foam that fell off in the second disaster, damaging the wing of the shuttle..."it never did any damage before..."
Famous last words...
This is why Scrum is such a great framework in which to develop software (or hardware)...you develop the item, and test it along the way...in testing you verify the functionality of the features against the spec. If you find things don't work, you address them in the next sprint (you don't change the spec to meet the new functionality...) if you find things not defined in the spec, you address them in the next sprint and decide if the functionality is beneficial or detrimental to the over-all functionality.
This would have resolved the issues with the shuttles, and with much of Microsoft's software problems...
So as we look to Web 2.0 and beyond, we should evaluate in what framework we operate...so far, the one that is most common is the one giving us the most trouble...
Check out scrum, Ken Schwaber's book is very good and can be applied to many situations.

Well, I'm shocked

[Fjodor42]

Obviously, I haven't given this topic the same amount of thought that the people who would argue that vulnerabilities aren't defects...

It would seem to me that reaching such a conclusion would involve some pretty thorough and creative thinking, possibly involving the use of alcohol, narcotics or some sort of newspeak habit, or, of course, possible combinations of such...

I'm not sure that I can completely rule out sheer stupidity either, but that would also have gone without saying.

Oh, well, didn't someone once say that reality beats imagination on a daily basis? I certainly never imagined that level of tomfoolery...

F

It's interesting you ask...

[SecureThroughObscure]

We've treated potential vulnerabilities in our products, even extremely minor ones, as defects for over two decades now. And we have always given them very high priority. To the best of our knowledge we've never had a remote exploit vulnerability, but even so we've gone so far as to scrap thousands of freshly pressed CDs a day before releasing them because I spotted a way to get root access through a tricky bit of business with shared libraries. (And that was for something spotted internally - no customer ever reported it.) The real question isn't whether to treat security vulnerabilities as a defect - of course you do - but - somewhat paradoxically - whether or not to treat them as security vulnerabilities. We were acquired some time ago and have now adopted (and adapted to) various more complex procedures typical of a large company. There's this little box you're supposed to check in our current bug reporting system that says "this is a security vulnerability". The problem is that checking that box fires up a whole lot of extra process that rarely helps and can actually hinder prompt resolution of the problem and getting the fix into customer's hands.

From your standpoint, your company treats vulnerabilities as defects. I think the author (McFeters) is making the point that most companies do not. Since he does work as a consultant for Ernst & Young, and has many times mentioned his background with web application pen testing, I think it's safe to say he probably has a pretty good grasp on how many do treat vulns as defects and how many don't.

I'm curious though, if your company treats vulns as defects, then do you punish or praise employees as the author suggests you should? Has your company implemented the much talked about Secure SDLC to catch vulns in the design phase?

SecureThroughObscure

Re:It's interesting you ask...

[EdwinFreed]

That's a good question. I'll do my best to answer it but since the number of security vulnerabilities of any sort we've had is pretty small I'm not sure how relevant my answer will be.

This is a big company and we have lots of software products. There's a group of folks that analyze the data from our change request (CR) system. I've only met with them once for a review of our product's CRs so my knowledge is pretty skimpy and quite possibly not at all representative, but here's what transpired.

They started with a breakdown of defects by various criteria: Component involved, root cause analysis, etc. It was clear some parts of our products are buggier than others but we already knew that. There was no attempt, however, to pin problems on specific engineers.

Beyond the obvious category stuff the data was really too noisy to draw any strong conclusions. One interesting observation about the process, however, was that the defects they cared most about were ones that had been filed and not fixed quickly - which seemed pretty reasonable to me.

Then they started drilling into requests for enhancement (RFEs) as opposed to defects. Believe it or not, this was a bigger concern. In particular, it seems we had an unacceptably high number of so-called "escalated RFEs". (Escalations happen when customers "take it to the next" level with support.)

We explained that the reason for this was that our releases had been, in hindsight, too far apart and that in our process the only way to get an enhancement backported from development to a production version was by escalating things with support. In other words, we were being yelled at for having used a process hack to get things done.

To be fair, I suspect that had there been a bunch of outstanding defects with associated escalations we would have been yelled at for that. But there were few if any of those.

As you might expect the immediate action we took was to stop using escalations to request backports. And AFAIK we haven't heard from the tracking people since. So the conclusion here is that what really mattered to them was customer satisfaction as measured by the number of escalations filed.

Now, as for using Secure SDLC, we don't use it and I'm not sure how much better off we'd be if we did. The very few security vulnerabilities we have had have mostly been the result of implementation errors, not design errors. (The defect I mentioned previously is actually one of the rare exceptions.) What we do do (in the parts of the product I work on at least) is try very hard to use secure implementation techniques - use carefully vetted routine libraries, avoid known problematic runtimes, and so on.

Oh, and FWIW, I'm not especially worried about being sued for calling a security vulnerability the defect it is. (This is not to say I don't worry about lawsuits - the possibility of a patent infringement suit coming in out of the blue scares the crap out of me.) We try and deal fairly and openly with our customers and that has worked well for us. (It undoubtedly helps a lot that our customers are almost always other companies, not individuals.) Maybe I'm naive, but I think once you start misrepresenting things to your customers you're far more likely to get into trouble.

RE: From the Original Author: Inexperienced?

[nmcfeters]

Hello, this is Nate McFeters, the original author of the article.

Awitod quoted me as saying:
"The problem of course is I'm saying how the companies should handle them, and I have no authority at any of these places, save people actually valuing my ideas. Personally, I've done some development in the past, and there was the concept of defects. Your bonus would depend on how many defects were in your application at delivery time. These were feature-based defects, but shouldn't vulnerabilities be considered defects as well?"

And has responded with the following:
"So, the author freely admits he is neither a developer or a manager. If he was a developer he'd know that these are defects and everyone treats them as such."

To that, I respond by saying that I am no longer a developer or manager, although I did develop applications in both Java and C++ for around 6 years full-time, and managed a significant development effort of over 200K lines of code. Currently, I work at Ernst & Young's Advanced Security Center as a consultant, where I work with a lot of fortune 500 companies, mostly on addressing their web application security needs. I've performed deep source code assessments on applications over 2 million lines of code and been tightly integrated into a few companies development lifecycles. SO, that said, I truly have a ton of experience with this type of thing, and I'm actually surprised that so many people on the Slashdot list here have responded saying that they ARE treating these as defects, as this is NOT what I've seen from a majority of my clients and does not reflect what I've heard from others in my line of work with other consulting companies.

Awitod goes on to say:
"If he was a manager, he'd know that one of the surest ways to wreck a good shop is to start doing comp based on defects. Here is what invariably (in my experience) happens when a shop includes defect counts in there comp plans.

1. Relationships between Dev, QA, Product Management and Operations get worse because the terms 'defect' and 'bug' become toxic. In reality these things always exist in software. The last thing you want to do is create barriers to dealing with them. Making the acknowledgment of a defect cost someone money means you will have arguments over every one of them unless they cause an out right crash."

I don't agree that this is necessarily the case. I don't think you have to wreck relationships to encourage a positive competitive environment. This is exactly why I suggested moving to a positive culture that includes training for developers, a secure software development lifecycle that encourages challenging development and business to look at security issues throughout the entire development of an application, and most importantly, I actually suggested that rather than take the negative approach... reinforce positively.

For example, the top BU could get the biggest bonus, or a celebratory night out, or whatever... maybe it's just a trophy or championship belt they get to keep with their group, which could be a fun pride point. Positive competition can be astoundingly effective at managing a team.

Awitod continues:
"2. Culture becomes overly risk-averse - No one wants to take on difficult problems or blaze new territory. The smartest people will naturally pick the easiest work to minimize the risk of defects."

I disagree and feel this could be fixed quite simply. If you address possible security concerns in the design phase of the application build out, you have a pretty good idea of the threat threshold of the application. Applications that are tackling tough challenges or blazing new territory could be given higher scoring factors.

Think of this similar to how an Olympic Diver can perform a perfect jump, but still get a lower score than someone who just missed a tougher jump. In this case, strong teams will be striving to take on the tougher challenges. You could also put other factors into that as wel

Re: From the Original Author: Inexperienced?

[SecureThroughObscure]

Good to see a response from the original author on this. Awitod, don't confuse a difference of opinion with lack of experience.

Relax

[SecureThroughObscure]

I think that McFeters would agree with you, probably except for the part where you call him a "clueless writer dork". This is more often than not a symptom of the culture of a company, not of the developers. If you read McFeters' whole article, he comments on creating a more positive culture that rewards developers who catch bugs, etc.

This is the perfect example of why a lot of companies need a reality check. You can't hold devs under the fire for flaws that were introduced by the original design itself, which more often than not is driven by flawed business requirements.

SecureThroughObscure

Re:Security vulnerabilitiesare not functionality b

[SecureThroughObscure]

You're looking at discovery of flaws at the wrong point... as most do. If you constantly find flaws by hiring pentest firms, you are in the wrong stage. You need to get Secure SDLC built into your development and actually try to catch these flaws in the design phase. This will considerably lower the cost and number of vulnerabilities.

Re:Security vulnerabilitiesare not functionality b

[Heembo]

If you constantly find flaws by hiring pentest firms, you are in the wrong stage. You need to get Secure SDLC built into your development and actually try to catch these flaws in the design phase.

That is great in theory, and might be true in the future, but you are missing the reality of the software development industry as it stands today.

1) Universities are not teaching software engineers about application security.

2) Most development organizations do not have leadership that understand the complexities and processes needed for secure software engineering.

3) Network Security training organizations like SANS teach courses around application security that barely teaches developers the skills needed to write secure applications. They still approach appSec from an operations point of view - where just like WAF deployment, you are too late or doing to little.

To really crack the AppSec nut, I recommend you approach this problem from several angles.

1) Start by (continuously) training your developers regarding application security. There are few firms that really do this well in a developer-centric way. Aspect Security ( http://www.aspectsecurity.com/ ) and Whitehat Security ( http://www.whitehatsec.com/ ) are 2 of the leaders in this field.

2) Begin building in-house application security pentest teams - this is a very different skill set than netSec pen testers. (You are right, you cannot just keep hiring pentest firms for the long haul)

3) Next do a risk assessment and catalog your applications current risk posture. Management appSec training is needed during this phase, as well.
4) Bring in a appSec pentest firm to assess your highest risk applications. Keep track of these results carefully so that fixes from developers can be tracked over time to verify that you are really reducing the applications risk posture over time.

Achieving application security excellence is a difficult process. And 3rd party application security training and application security pentesting (assessment) is critical on the path to success.

It'll never happen

Software companies don't even treat defects as defects.