Most Security Products Fail To Perform

An anonymous reader writes "Nearly 80 percent of security products fail to perform as intended when first tested and generally require two or more cycles of testing before achieving certification, according to a new ICSA Labs report that details lessons gleaned from testing thousands of security products over 20 years. Across seven product categories core product functionality accounted for 78 percent of initial test failures. For example, an anti-virus product failing to prevent infection and for firewalls or an IPS product not filtering malicious traffic. Rounding out the top three is the startling finding that 44 percent of security products had inherent security problems. Security testing issues range from vulnerabilities that compromise the confidentiality or integrity of the system to random behavior that affects product availability."

well

[zoomshorts]

Most security products are basically after the fact. Does this surprise anyone???

Re:well

I think what you're actually trying to say is, "Most software products are not OpenBSD."

These days, if you want security, OpenBSD is the ONLY way to go.

They are the ONLY significant operating system project to have security as their primary goal.

They are the ONLY significant operating system project to perform extensive and proper code reviews, with security in mind.

They are the ONLY significant operating system project to go so far as to maintain their own secure versions of third-party software, like Apache HTTPD, because the other project can't do security properly.

They are the ONLY significant operating system project to proactively force security on their users.

In short, if you want security, you NEED to use OpenBSD. Otherwise, you're just playing a game that you will end up losing. Windows clearly isn't secure by any means. Most Linux distributions don't offer even a fraction of the security of OpenBSD. Solaris is perhaps the second-best option, after OpenBSD, but the recent Sun/Oracle nonsense has put their future into doubt.

Re:well

[ozmanjusri]

Most security products are basically after the fact. Does this surprise anyone???

Billion dollar industries have sprung up to address flaws in Windows. Does that surprise anyone?

As the OP says, security products are after the fact solutions. They are intended to band-aid over holes in the product they are ostensibly protecting. They can never fix the actual flaws, nor identify all of the hidden weaknesses.

Re:well

Or, you know, you could balance and manage risk sensibly. The goal of information security is not to eliminate risk, it's to manage it.

Re:well

[Woldscum]

http://www.icsalabs.com/press-release/icsa-labs-study-finds-most-security-products-fail-initial-certification-tests ICSA is owned by Verizon who I work for. MY BS meter is going off. This sounds like a push to sell ICSA approved software. Of course Verizon will offer it.

Re:well

[kimvette]

Oh, really ? If it's secure enough for these guys, it's secure enough for you and me.

Re:well

[Runaway1956]

Well - if you changed your "OpenBSD" to "OpenSource", I could agree with you wholeheartedly. Seriously - BSD looks as good as anything on the market, but I've not found a compelling reason to use BSD instead of the more mainstream Linuxes.

Because you limit your comment to one specific Unix-like, you just come across as a fanboi. Next time, try highlighting the merits of unix-like OS's, then compare how one or another stacks up to each other. You might find a convert - or not. But, at least you won't be an obvious fanboi!

Re:well

Former VZ employee here. Is the Verizon (aka Radialpoint) Security Suite on that list anywhere? That ought to be a test of their supposed neutrality. I can't check it myself because of traffic filters.

Re:well

[Shane+dot+H]

Bruce Schneier mostly runs Windows. The NSA uses several different versions of Windows and many different flavors of Unix and Linux. I'm sure they have BSD boxes somewhere in their massive inventory, but it is by no means their primary or secondary computing platform. Why do you suppose that is?

It's because computer security is only a small piece of the security big picture. It doesn't matter how technically secure your systems are if you have a malicious trusted insider carrying sensitive data out, or performing sabotage. How resistant is your entire system to rubber hose cryptanalysis? If a bunch of guys tried to forcibly take control of your data center with machine guns, how secure would your system be? The NSA has offices out there with a bunch of Windows XP boxes - but where they have customized hardware based encryption with at the data entry/exit points, incredibly strict key management policies, TEMPEST shielding, armed users, detailed destruction procedures, and incendiary grenades sitting in the corner.

Most security products fail to perform

[mjwx]

Maybe they're nervous?

I mean you put them under a lot of pressure to perform and chastise them harshly when they fail to meet your expectations.

Perhaps you should mix them a nice drink, use some mood lighting and tell them you love them once in a while. It's not just about you after all.

Re:Most security products fail to perform

Yeah, but they really shouldn't worry about it, as the products mature it will happen more and more.

Re:Most security products fail to perform

[slimjim8094]

Security devices can't get it up?

Of course not - many security devices require you to get it up before you can even install them.

Re:Most security products fail to perform

[ObsessiveMathsFreak]

You mean after the all the claims they made? After all they said they'd keep us safe from? After how sure they made us feel in their ability? After all the charm, and the cajoling, and the expenses, and the hassle? After all they promised, now that they can't live up to even our most basic expectations, you're telling me that we're the ones at fault?

They can't perform, but now we're the ones who have to change? We're the ones who have to clean all the laundry, and be careful around strangers, and lock up for the night? We need protecting, but they have to be looked after first? We're the ones who have to change our ways, just to make them feel they're doing a good job!?

My mother was right!! I should never have subscribed to a service that came with a free trial!!

Re:Most security products fail to perform

Nice. Why do you sound like my mother in law?

Re:Most security products fail to perform

Porn, Government, and Security Devices...They promise so much, and deliver so little.

Re:Most security products fail to perform

What, no floppy disk jokes yet?

What about "What part of SOFTware don't you understand?

Re:Most security products fail to perform

[pig_man1899]

As my basketball coach said, "You gotta get it up to get it in."

Re:Most security products fail to perform

[Marxist+Hacker+42]

Remove the word "security" from the above sentence and replace with "software", and you'll have a good view of the industry.

This just in!

[L4t3r4lu5]

New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.

Is security software supposed to be automagically immune to human error? Or is this another "Coders aren't employing secure coding practices" piece I've been reading for well over 3 years. "Validate your inputs" "check loops exit under all circumstances" etc etc. Woo. Insightful this ain't.

Re:This just in!

[Herkum01]

New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.

Companies (in general) would rather polish turds than expend the energy to make a good product.

Re:This just in!

[mcgrew]

Woo. Insightful this ain't.

Mods, please don't mod that uninsightful coment "insightful". Having a defect in a device I've bought has been extremely rare, buying anything from toasters to TV sets to video cards that just don't work is unheard of. Don't talk to me about the "complexity" of writing software, you think you car is simple?

If your software is buggy your company is incompetent. Period. We as customers shoud stop putting up with defective products and beta sofware that's been rolled out as a "finished product." If I find your software doesn't perform, I should get my money back.

People, can we please stop putting up with incompetents' excuses? After a quarter of a century of putting my up with your crap software I'm getting a little tired of it.

Re:This just in!

Is security software supposed to be automagically immune to human error?

You used an interesting word there: immune. Stick with me for a bit.

a. Germs exist.
b. Germs get people sick.
c. Sick people spread infection through fluids, either by touch or aerosol.
d. Man invents devices (chemicals and masks) to mitigate the spread of disease.

And another example...

a. Man made guns.
b. Guns kill people.
c. Man decided that he needed to find some way to stop bullets from killing people.
d. He invented bullet-proof vests.

Why do we have hand sanitizers and masks? It's easier to prevent infection than to change the immune system. Why did we have to make bullet-proof vests? We made bullet proof vests because, compared to the alternative (making bullet-proof people) a vest is about your best choice.

Now, look at computer security. We _do_ have access to the computer's immune system. We _cam_ make it bulletproof. Antivirus and antispyware is the wrong approach: the classical approach. We're trying to mitigate the issue at the wrong point.

Give the machine a better immune system. Make it physically bulletproof. We have the technology and the capacity.

Re:This just in!

[Thanshin]

you think you car is simple?

Car analogy to the rescue!

Let's imagine you're a car builder capable of building cars with the current expected quality.

Let's now imagine your competition builds and sells defective cars for half your costs. For whatever reason, the buyer will buy the half cost faulty car and then repair it until it finally works, rather than buying your "perfect on release" car.

What do you do?

Re:This just in!

I dunno, let's ask Toyota or Honda why they just can't get people to stop buying Chevys. Oh wait, the car industry doesn't work the way you seem to assume it does.

Re:This just in!

[L4t3r4lu5]

Here's a quote you might like: I reject your reality, and substitute my own! - Mythbusters

Half of me thinks you're being sarcastic, but the other half is concerned that you think companies actually want to pay for something good, and that PHBs don't impose stupid deadlines to rush projects out of the door because competitors are building the same product.

You want to know which projects are going to be bug-free at realease? Hurd, Duke Nukem: Forever, and the Phantom console.

Re:This just in!

[RichardJenkins]

Your car may be complex, but it has relatively few ways for the user to interact with, and is likely always used in the same environment, and fundamentally the same to most every other car on the road. It's been done. Lots.

This goes doubly for your TV and even more for your toaster.

Are you saying software bugs needn't exist because mechanical and electrical engineering can be done so well? That's asinine.

And last I checked, most cars can still crash.

Re:This just in!

[PrescriptionWarning]

There's a big difference between software and hardware my friend. The first of which is safety: when a TV or Car blow up or otherwise severely malfunction it is not tolerated and therefore companies that make those products have much different cycles of testing and engineering (Waterfall development cycles). Software on the other hand has much more leniency for most fields since it has the capability of being continually improved and has a tendency to be rushed through development with that in mind (Spiral development cycles)... this is where the the comparison breaks down between the seeming reliability of hardware versus software.

Re:This just in!

[gclef]

No, but there is a certain level of irony (or at least amusing superposition) when a security product has security vulnerabilities...after all, getting your company hacked because you put in security controls isn't the way one anticipates these things happening. To use a car analogy, it's as if belting your seatbelt led to *more* people dying.

Re:This just in!

while I agree that commercial (paid-for) software should come with some sort of warranty, you should consider that a toaster is about as complicated as

        #include
        int
        main(int, char**)
        {
                sleep(5 * 60);
                return 0;
        }

when your toaster fries the slice you put in, well, you make sure to time it better or eject earlier. in a software toaster, the potential to turn bread into charcoal would be considered a showstopper.

Re:This just in!

[L4t3r4lu5]

Once again we come to the weak point in the system.

Idiot in, idiot out. PEBSWAC (Steering Wheel)

Re:This just in!

[mcgrew]

Let's now imagine your competition builds and sells defective cars for half your costs

So if that would work, why hasn't anyone done it? The answer is simple -- car buyers are smarter than people who buy software. Also, it's a lot easier to patch a program than to recall a defective car.

And cars have warrantees. I'd like to see warrantees on software.

Also, see the AC who responded to your comment, he said a few things I was going to.

Re:This just in!

[rgviza]

http://www.safetyforum.com/fordcruisecontrol/
This is the tip of the iceburg. At least software engineers don't burn people's houses down and kill people with a bug then deny it's their fault.

I got news for you: nobody's perfect.

Re:This just in!

[rgviza]

You should become an engineer. You sound like you would be a perfect candidate for the job with your quality conscious attitude.

Re:This just in!

"My job is to apply the formula: A times B times C equals X. If X is less than the cost of a recall, we don't do one."

Re:This just in!

Whenever I see that inane comment, it turns me into Jack's raging bile duct.

Fight Club has brainwashed an entire segment of the population into believing that recalls are that simple.
It ignores stuff like criminal charges for negligence, that the NHTSA has the ability to force recalls, or that
insurance companies might have a say in it as well.

Re:This just in!

[mcgrew]

If your starter goes out a week after buying a new car, there's no safety issue but you're not likely to buy that brand of car again. Any auto manufacturer with shoddy manufacturing and design won't be in business long, unlike software.

Re:This just in!

[mcgrew]

And last I checked, most cars can still crash.

Like software, blame the device driver... only with cars it usually is the driver.

Re:This just in!

[cbiltcliffe]

I dunno, let's ask Toyota or Honda why they just can't get people to stop buying Chevys. Oh wait, the car industry doesn't work the way you seem to assume it does.

Maybe because Toyotas suck, too?

Re:This just in!

[cbiltcliffe]

New devices and software may have bugs which affect performance. Patches may be required for correct performance when exposed to unexpected conditions.

I read the article.

Nowhere does it mention that these are new products. Only that they're newly used within any given company.

It also mentions that patching to fix problems is a problem in itself, with 20% of products failing to accept patches properly.

Re:This just in!

[Thanshin]

Your answer leads to the answer to the post I was answering (which was my intention).

Changing the software quality paradigm isn't a responsibity of the producers, it's the buyers who must start asking for quality and paying for it, as they are who create the market in the first place.

Re:This just in!

[Nadaka]

We _cam_ make it bulletproof...
yes we cam?

Re:This just in!

[hesaigo999ca]

I have to applaud your comparison to the car or even the airline sector. If any of those sectors had the same failure rate as the software sector, we would be walking with about 50% less population and an accepted death rate much higher then we do now.

People allow this crap to happen, and still line the pockets of the M$ corporate types. The day we all say no to gas price hikes by banding together and stop buying gas for a full week, like the email sells you to do....then we will see gas prices drop like a hot potato. Same as with the software sector. I tend to find the hardware sector a little better, in that if something is faulty they replace it with a good one, so they tend to get a bigger nicer review from me.

In the end, if we simply say no to endless patches and just say we wont use anything until its been fixed, watch how quick the fixing happens.

Re:This just in!

[mcgrew]

I'd make a lousy engineer.

Re:This just in!

I think we're all missing something in the article summary:

when ***FIRST TESTED***

Read the rest of that sentence, too. "Two or more cycles of testing before achieving certification". That means that it hasn't been released yet.

When was the last time you coded something and it not only compiled the first time out, but worked perfectly? Was it entitled "Hello World"?

Sorry, but this article is not news.

Re:This just in!

[mcgrew]

I agree with you, except for this:

The day we all say no to gas price hikes by banding together and stop buying gas for a full week, like the email sells you to do....then we will see gas prices drop like a hot potato.

Gasoline prices are artificially influenced by the prices of gasoline futures. A little earlier this year gas prices started dropping slightly because of oversupply and decreased demand, then promptly jumped $.25 per gallon in less than a week because it looked like the recession may be ending (it isn't) and the futures traders bet that gas prices would go up when the economy did.

Re:This just in!

Are you saying software bugs needn't exist because mechanical and electrical engineering can be done so well?

You obviously don't own a Chevy. :D (from a Mustang owner)

All kidding aside, though, the automotive parallel works exactly right, but not in the poster's intended way. Cars break down all the time. Ever had a recall? That means the engineers screwed up (or someone on the assembly line did). Happens to Camaros all the time . . .

Fact of the matter is, no one is perfect. People sell faulty products. Sometimes it's an honest screw-up, sometimes it's criminal carelessness, but don't expect people to be perfect.

Re:This just in!

> Don't talk to me about the "complexity" of writing software, you think you car is simple?

Security hardware/software has to constantly deal with new attacks. Your car doesn't have to deal with anything that hasn't existed for ah hundred years already, and yet a street thug can still be walking away with your radio in under two minutes. (Or driving away the whole car, given slightly more time).

> If your software is buggy your company is incompetent. Period. We as customers shoud stop putting up with defective products and beta sofware that's been rolled out as a "finished product." If I find your software doesn't perform, I should get my money back.

We live in an era where the automobile, which has been under continuous development and refinement for a century, is still produced with major flaws, subject to recalls because tires may blow out when they aren't supposed to, and wires may fray and light the engine on fire. And that's counting the top end modern first-world cars. You can't even get the Chinese exports here, because they keep failing the crash tests, because the steel and welding quality is so bad that they fatally pancake in a 35mph crash.

And you don't get your money back if you get a bad car, outside of a certain short time period from purchase, just like software. You get free patches for both, and that's it.

Re:This just in!

The day we all say no to gas price hikes by banding together and stop buying gas for a full week, like the email sells you to do....

So YOU'RE the one that keeps forwarding those chain letters!!!!!!!!!

Re:This just in!

yes we cam?

He's going back to the car analogy. Bulletproof camshafts and such.

Re:This just in!

[mcgrew]

Yes, there are recalls, but I've never had a car I've owned recalled and I doubt many people have had more than one recall in their life. I wasn't just talking about security software and security vulns, but software and bugs in general.

Computer programming has been around since 1843, the gasoline powered automobile wasn't invented until 1806, less than fifty years earlier.

Re:This just in!

[syousef]

Having a defect in a device I've bought has been extremely rare, buying anything from toasters to TV sets to video cards that just don't work is unheard of. Don't talk to me about the "complexity" of writing software, you think you car is simple?

I guess you've never heard of factory recalls?

Video cards
http://www.google.com.au/#hl=en&safe=off&q=video+card+factory+recalls&meta=&aq=&oq=&fp=401997eedf2eee64

Toasters
http://www.google.com.au/#hl=en&safe=off&q=toaster+factory+recalls&meta=&aq=f&oq=&fp=401997eedf2eee64

Televisions
http://www.google.com.au/#hl=en&safe=off&q=television+factory+recalls&meta=&aq=&oq=&fp=401997eedf2eee64

Cars
http://www.google.com.au/#hl=en&source=hp&q=car+factory+recalls&btnG=Google+Search&meta=&aq=1&oq=car+factory+re&fp=401997eedf2eee64

Like a lot of comments made here, yours may sound fair and good, but it doesn't stand up to scrutiny.

Re:This just in!

Ha! I feel sorry for you people living in the toaster stone age.

My Toaster has 27 different browning modes, defrost modes, is self cleaning AND can butter the toast itself (using a low in saturated fat spread if it detects unhealthy cholesterol levels in the user). I'm getting an upgrade soon so it will bake the bread too.

You people sicken me.

Re:This just in!

[mcgrew]

Yes, there are product recalls, but they are relatively rare. I've never had a product I owned recalled, but except for games I don't think I've ever bought a piece of software that didn't get at least one bug patch.

Yes, airplanes crash, but that's rare too.

Re:This just in!

Well I used to work in the automotive media and I think you have it slightly wrong. In fact it works much like the software industry: The cars with major defects and bad build quality cost twice as much not half. In addition they are deliberately obfuscated and tamper protected to ensure that you go to the correct tech support (servicing) provider. Just like software the most reliable cars are usually the ones that are simple and cheap.

Re:This just in!

[initialE]

Why sell a product if you're not ready to make it work? I'm looking at you, Symantec! When Endpoint Protection first rolled out it was so buggy it couldn't do anything right. It's as though nobody bothered to do any testing at all. And those guys had the nerve to collect money for it.

Re:This just in!

[hesaigo999ca]

Do not confuse the gas prices being the way they are because of what have done compared to what the gas prices are because of what the economy is and what the gas companies think we can afford.
A study has been done by the likes more intelligent then me, that have calculated the holding tanks capacity for storing the fuel the saudis have, and how much is actually coming out of there....

If we were all to just stop gasing for a week, and I mean all of north america, their biggest client....they would such an overstock that they ...the scientist, using today's business models, and current situational response by a business that would face the same type of problem, and they say
that the companies would have no choice but to slash the gas prices in half. If we held on for one more week again, they would go bankrupt....I wish I had their links to put up, but I have seen this
on more then one sight, I will try to find it and link it.

The gas companies are the worst oversellers...controlling the medias to make you think we are running out of oil, pushing gas prices even further up....we have no oil shortage trust me...for one thing they have even figured out how to turn plastics into reusable oil, this I can't wait to see go public ( Here )!

We have the newly found oil flats in the arctic, we have tons of oil in canada which is a little more expensive to get then regular oil, (oil sands) but in the end, if we need to its there.

well...

[zzottt]

Looks like I picked the wrong week to quit sniffing glue.

Stop quoting marketing messages

Verizon is just trying to proof the relevancy of their so-called 'security' tests. They do not really perform any security test at all. Please, stop posting these marketing messages. And puleaszze, stop this semi-bullshit measures such as 44%, 78% ...

Security is a process not a product

[Afforess]

There is no such thing as security. You can become more secure, but never absolutelysecure. Security is a process, not a product. The moment we realize this, most of these problems go away.

Instead of looking for the "silver bullet" in the form of a anti-virus software, you should be using anti-virus in conjunction with Firewalls, the latest patches for your OS, and safe browsing habits. After all, I would bet that 9/10 viruses come in the form of human error rather than the case of a malicious hacker trying to force entry to your system.

Re:Security is a process not a product

And if 80% of your security products are no-ops, you're still pretty screwed :)

It does sound like ICSA Labs' customers use them as QA. So, hopefully, released software is not that bad.

Re:Security is a process not a product

[flyingfsck]

'Security is a process' is a tired cliche and a cop-out. What you are saying is: Our firewall doesn't quite work, but if you buy all these other pieces of shit that also don't quite work and implement all these procedures and unplug your network cables, then you'll have a good system...

Re:Security is a process not a product

[TwistedGreen]

No, what he's saying is that a single security solution will never work 100%. You're right, the only magic bullet is to unplug your network cables, but that's not going to happen. That's why you need multiple lines of defense combined with informed usage policies.

And in related news...

[fuzzyfuzzyfungus]

The TSA has issued a press release calling their performance "In line with industry standard private sector security solutions"...

Talk about devaluing security

This report is not good news. While ICSA is promoting the need for certified security products, it may do more to convince security managers that they've been getting ripped off. This is what Larry Walsh writes in his blog: http://blogs.channelinsider.com/secure_channel/content/analysis/80_of_security_fail_to_meet_performance_expectations.html

Confidentiality Integrity Availability.

[Dr.+Evil]

This all sounds like security certification speak.

Among the recommendations from the article: "Use certified products. While certification can never eliminate risk, it substantially reduces risk by ensuring that products meet objective, publicly vetted criteria."

This shouldn't be on Slashdot. We all know that the best software tools are FOSS, subject to the most rigourous testing and peer review. "Certified Products" are a black box with a "Trust us" next to a logo for a "Limited Liability Coproration."

The article should be lumped in with the Gartner reports and marketing materials.

Re:Confidentiality Integrity Availability.

Yes and NT4 got EAL rating with a bunch of qualifications.

A whole industry of 'certifiers' has sprung up to make money off clients who can then paint gold stars on their products - just like wine or cigars.

Everyone is missing the point: The vendor is proactive and up to it - or they drag the chain about timely patches. If they are 'one monthers' On this score, BSD beats MS.

Re:Confidentiality Integrity Availability.

We all know that the best software tools are FOSS, subject to the most rigourous testing and peer review.

No I don't think "we all know" that. You can't just lump a cateory of programs together and say "It's the best! Everyone agrees! All other programs are crap!". While the merits of FOSS are what I personally find the best, speak for yourself next time, even if it's merely fanboyism.

Re:Confidentiality Integrity Availability.

[GroovinWithMrBloe]

I've been involved in certifying a firewall to meet ICSA requirements. Let me say that it can only be a good thing to take into account what certifications the product has before using it. This includes FOSS and commercial.

While it's nice that you can review the source of FOSS tools, that gives you no guarantee that the tools are configured appropriately and securely. If you are in an organisation that requires a verifiable degree of security (or as management sees it: level of risk) then using certified products is a no-brainer. No one claims a certified product is absolutely secure, and you should never base a purchase decision purely on the 'does it have a shiny certification logo on the carton?', but when using a certified product you can at least say that X, Y & Z situations are covered. This is especially important in the situation of a breach, where the integrity of logging is important. You don't want your boss screaming at you because the timestamps were wrong or inconsistent, that some data was not logged, etc...

If you are interested, take a look at the criteria for certification for firewalls - http://www.icsalabs.com/technology-program/firewalls/modular-firewall-certification-criteria-version-41

There are a lot of FOSS based products, including the one I worked on, that are ICSA certified. You can have your cake and eat it.

Re:Confidentiality Integrity Availability.

Hrm, YES!!! and NO!!!

As someone who's been through most of the US govt's software certification programs - I think it would be difficult to get past the labs and algorithm tests with broken security. Yes, there will be bugs - but generally, not broken security models. You get a nice interview grilling, write complete functional specifications, document and get a comprehensive algorithm & key management testing regime. Yes, there are problems with things like FIPS 140-2, but in general you wouldn't get past the interview process unless you have a real clue.

OSS projects like OpenSSL, Linux kernel, etc are shining examples of good process, but there's also a lot of unproven, broken software as well (both commercial, and OSS). Inadequate P-RNG's and misunderstands concerning key security/management are the beginning. Bad crypto algorithms, complicated models, imaginary security, lack of documentation, and a general lack of experience are common issues in *any* security product.

In other words - it comes down to experience and eyeballs in both commercial & OSS cases. That's why you see OSS getting certifications just like the commercial offerings - it's minimal proof just like any diploma or license that says "I have a clue."

Re:Confidentiality Integrity Availability.

[Dr.+Evil]

FOSS tools are disadvantaged when it comes to certification because certification is expensive, time consuming and resists changes in the project. On the other hand, for-profit vendors are disadvantaged when it comes to security because scrutiny is limited and the motive changes from quality to profitability.

We don't know how to do security

[jonaskoelker]

This highlights a point you may very well know already, but allow me to restate it:

People (at least people who program computers) haven't really figured out how to write secure code.

Well, what do I mean by secure code? Code that is 100% secure against a particular well-specified threat, or several of these. I.e. "only users logged in as root on the local console can [...]; users accessing the database through the web interface can't [...].", or "no TCP flow will cause the $OS network stack to crash", or [etc.].

This article is merely the observation that even when people write code that has a security function, they can't magically do better than everybody else.

Also, I'd like to advocate the viewpoint that security is a system property. You can't apt-get install security. Putting a firewall in front of a flaky app (especially a flaky proprietary app) is not going to work well: if you need code to detect whether a packet is evil or not, why don't you put that code in the application, so you don't have three competing vendors waste time trying to be the best flaky-packet-handler for $APP?

Oh well, I guess you can ship sooner. Also, if the original developers of $APP can't get the don't-be-flaky right, we might need something to stand in front.

(I hope this is more coherent than my feeling of well-being would suggest I'm able to make it)

Re:We don't know how to do security

[maxume]

It isn't just the knowing, there is also the bothering. For instance, buffer overflows and SQL injection are some of the most commonly exploited flaws in programs, and the prevention of both is well understood.

You can't buy security

[secretcurse]

Is anyone here suprised by the fact that security isn't something anyone can buy?

Two things cause security problems.

[TheRaven64]

The most common source of security problems is poor user interfaces. These can't easily be fixed by third-party products. A ludicrous password policy, for example, which makes people write their passwords on post-it notes because they can't remember them, is a good example. ActiveX allowing untrusted code to run with full privileges with a single button press was another example. UAC and SELinux also suffer from this; the UI is so bad that people often just disable them.

The other cause of security problems is bugs. The OpenBSD developers like to say that the only difference between a bug and a security hole is the intelligence of the attacker, and they're not far wrong. The number of bugs in a piece of code is roughly proportional to the complexity of the code. There are some scale factors, such as the amount of testing, the experience of the developers, and a few other factors, but all other things being equal complex code will contain more bugs than simple code. When you add something like an antivirus program on top of an existing complex system, you are adding a huge extra layer of complexity and hoping that this will fix things. This is why I have no faith in things like MS Singularity. They are replacing a very simple mechanism (hardware-enforced page protection on memory) with a complex mechanism based on type theory and implemented by a huge virtual machine and expecting it to be more secure. If you want a secure system, you should build the complexity from simple layers. Adding Mondrian memory protection to CPUs would be a good start.

Re:Two things cause security problems.

[mcgrew]

A ludicrous password policy, for example, which makes people write their passwords on post-it notes because they can't remember them, is a good example

If your office door has a physical lock on it, a postit note isn't insecure. My office has no door so I keep passwords written down, in my wallet, disguised as something else. At home it's a list of sites and passwords written down and laying on the computer desk.

I'd like to know why there's the "change your password monthy" rule? It seems to me that a rule like that invites easy to remember (and guess) passwords.

Re:Two things cause security problems.

[TheRaven64]

If your office door has a physical lock on it, a postit note isn't insecure

And the cleaner, being paid minimum wage, won't be tempted to make a couple of years' salary selling the password to an unscrupulous competitor? Depends on your market and how well you vet your staff...

I'd like to know why there's the "change your password monthy" rule?

Cargo cultism. This one actually used to make sense, but was copied by people who didn't understand it. Passwords are stored encrypted. To reduce CPU load, they used to use very simple hashing / encryption algorithms. A month was about as long as you could guarantee that a copied password file would remain secure. This hasn't been the case for several decades, however (and on Windows systems it takes about ten minutes to decrypt the passwords, because they are (were?) stored in a very silly way).

Re:Two things cause security problems.

[Eevee]

Close but no cigar. You change passwords periodically in order to limit damage. If your password is discovered by someone, then they can only exploit it until the next password change. Guess what...if you keep the same password forever, it can be exploited forever.

Yes, there are many circumstances in which the damage from a compromised password happens immediately after the compromise. But there are times when the damage is ongoing; consider a rival company monitoring the progress of a new product via email messages accessed via a compromised password.

Most PRODUCTS fail to perform

Change "most security" to "most products" fail to perform.

Software is generally poorly written, is not held to any product standards, comes with "NO WARRANTY", "NO FITNESS FOR A PARTICULAR PURPOSE" and contains "KNOWN DEFECTS".

It's like a new car coming with two flat tires, and you happily paying for it.

It's time we hold software to some decent standards.

Security and Love have something in common

[salesgeek]

You cannot buy security and you cannot buy love.

Re:Security and Love have something in common

But you can surely try. Isn't that right AV companies.

Bitter vet syndrome :)

[X.25]

Yeah, I am a bitter vet, and I am so damn happy I got out of that shit world called 'security'.

People were just too dumb, they always wanted to buy products to "make them safe", while they almost never wanted to invest into training, procedures, policies, etc.

Guess they're happy now.

Certification vendor hypes certification

[Morty]

So, a certification vendor says certification is necessary, based on statistics produced in-house. Subtext: security product vendors need to buy the services of the certification vendor. It might be true, or it might be bias. Hardly news.

When Will You Get It Through Your Thick Skull?

[mpapet]

The customer for 'Security Products' is some buyer typically disconnected from the nuts-and-bolts of security!

A bunch of mid-to-upper level people sit in a room and talk about 'security.' They don't understand it, but the like/need the idea of it so they can come off as believable to their customer. Better still the clicky-pointy-GUI and report generation features *really* feed the TPS beast. They talk past each other and pass reports around. Perception! Perception! Perception!

The finance industry is the perfect example. It is possible to build a system that meets various compliance standards without COTS products. In fact, you can build it for 1/100th the price and feature-perfect. But when the audit happens and the auditor *doesn't* get the report immediately recognizable as that TPS report generator from software house XYZ, your audit is now in jeopardy.

Either the audit costs skyrocket and probably fail simply because the audit didn't include a TPS report familiar to the industry or you buy the software from XYZ and the auditor gets his TPS report. What do you think is going to happen? Hint, you've probably never seen six-figure checks written to a COTS vendor so quickly.

and that's WHY we test things

[petes_PoV]

The article paints a negative picture, when in fact the opposite is true: testing works! When we test stuff we find the bugs, fix them and re-test. After a few iterations the tests are passed. What's wrong with that? As someone who's done a *lot* of testing in the past it sounds to me like the process works.

If the testing process didn't find any problems and passed a product on the firsat attempt, I'd be more suspicious of the tests than of the product - not that I'd buy the product, either.

"fail?"

[Lord+Ender]

Every security product "fails." It is impossible to prevent all threats. The point of security is to reduce the risk of compromise. There will always be some risk.

If an antivirus product stops now viruses at all, then it's a failure. If it lets some through but stops others, then it is actually a success because it reduces risk.

security products .. ?

[rs232]

Security isn't a 'product' that you can bolt on. Security is something that has to be built in from the ground up. A primary function being irrevociable auditing of all activity on the system. How you can design a 'security product' that doesn't accuratly log activity beggers belief. These 'products' sound like the typical management process of covering their arses with certificates.

'Incomplete or inaccurate logging of who did what and when accounted for 58 percent of initial failures'

Maybe...

[rgviza]

... we should point the finger at the criminals that write viruses and otherwise break computers.

They write viruses to "get around" current virus protection. Now if you have a tool that works, and a criminal circumvents it, how does that make the tool faulty? It wasn't faulty when it was written, what makes it faulty now?

Are the software engineers supposed to be able to predict the future? What constitutes a tool that works?

Why don't we hold police responsible for not predicting murders and fireman fires?

The notion that anyone could could write a perfect tool is a joke.

20 years in jail for writing a virus would be much better virus protection than McAfee.

Re:Maybe...

The threat of punishment is not a deterrent if the offender knows he'll never get caught. How many virus writers do you think are apprehended each year?

John Gabriel's Greater Internet Dickwad Theory has a dark side, too.

icsa = division of verizon

is anyone surprised that software vendors who would pay verizon to certify
their software as functional, would send in software that failed nearly half of initial testing?

i mean, it's a Huge shock to me that someone would pay verizon to certify their software...
and it's staggering that anyone who would want verizon's approval would have something
as complex as security software actually pass More than half of initial testing.

a proper headline for /. might be = "Insane software vendors pay verizon for certification" ... i'm waiting for "Irate costumers complain of $1.99 charge for any accidental clicks in AV program" ... or possibly "Furious customers charged $194,988.31 as software confuses .002 cents for .002 dollars"

certify security software? might i suggest remedial math and business ethics classes first?

No such thing as security?

Security - precautions taken to guard against crime, attack, sabotage, espionage, etc.

When a product is labeled "Security" it is supposed to provide this "process" for us. That is why we pay them money to do this for us.

Unwinnable war

Reminds me of a comment camarack left in a plan file 14 years ago about solving the problem of player cheating in online games.

Unless all malicious software developers (MSD) adhere to the evil bit its basically an unwinnable battle between security companies and MSDs.

The only way to win is not to play. Virus scanning and IDS don't have 100% coverage and thus should not be viewed as even a 1% solution to security issues.

Software and systems must be designed in such a way that proper levels of trust are maintained throughout the computing environment.

There is currently way too much focus on ineffective nonsense such as virus scanners, IDS, firewalls...etc. In the real world these systems can do quite a bit of good but this is only because design and deployment of underlying systems are fundementally flawed.

Many physical security products fail, too

[macraig]

As some folks know, a lot of physical security products don't really work, either; they give us a false feeling of safety when in fact there is little or no actual benefit. We've got half of America's cities lit up like Christmas trees at night now, burning who knows how many tons of coal every year to do it, but have all those street lights and backyard security lights really made us safer? Some people got a whole lot richer in that process, though.

Another even more striking example close to home: my city took over a formerly "bad" neighborhood and redeveloped it, and part of that "redevelopment" was the installation of wrought-iron fencing around the entire perimeter of the development. It's only about 7 feet tall, mind you, and the bars can be bent and broken by mere mortals (and routinely are). How effective do you suppose that's been at the claimed purpose? Arguably the gates blocking the streets have served the purpose, but the rest of that fencing is an expensive eyesore that did little but make a few politicians look productive and interdict the movement of children with friends on the other side of it. My city, a state capitol no less, has artificially segregated an entire neighborhood in the name of "security", and it failed completely.

So yeah, security products often aren't what they're cracked up to be. Is this really a shock to anyone? Security devices and methods often just pander to humans' natural tendencies toward self-delusion, and make their providers richer at the expense of those who now think they're safer. "False sense of security" isn't clicheed enough, apparently, because people are still being suckered.

Most Security Products Fail To Perform.....

So does ur mom!!!

Re:Most Security Products Fail To Perform.....

[sega01]

So does ur mom!!!

So does your comment.

Not surprised...

[sega01]

Mod me down, but seriously, SSL, DNSSEC, and so many things for "security" are just junkware, introducing their own bugs and problems while making things excessively bloaty. Noticed how many vulnerabilities there have been in SSL alone lately? It's scary and this really needs to be rethought.

Is this any surprise?

[AniVisual]

Security is a practice, not a product.

Here is the process... apk

"Instead of looking for the "silver bullet" in the form of a anti-virus software, you should be using anti-virus in conjunction with Firewalls, the latest patches for your OS, and safe browsing habits. After all, I would bet that 9/10 viruses come in the form of human error rather than the case of a malicious hacker trying to force entry to your system." - by Afforess (1310263) on Monday November 16, @08:59AM (#30114652)

AGREED, 110%: For those "not in the know" on pretty much ALL of what Afforess is alluding to, @ least for Windows users (2000/XP/Server 2003/VISTA/Server 2008/Windows 7) and to an extent (because of a multiplatform gauge of security test available for Solaris, BSD variants (sorry, no MacOS X), & Linux), even *NIX variants?

This ought to be of some assistance in this regards:

----

HOW TO SECURE Windows 2000/XP/Server 2003/VISTA/Server 2008/Windows 7, via CIS Tool Guidance (& Beyond):

http://www.tcmagazine.com/forums/index.php?s=3cc720a0e11b21f6d64454065efbb61c&showtopic=2662

----

Enjoy: It does work... & on the same basic principles as Afforess is outlining (some system maintenance/upkeep/tuning, & some "behavioral modifications" on the part of the end user.

APK

P.S.=> As to an indicator of how well it works, this is a testimonial from an end user who did well using said guide in the URL above, for himself, his family, & paying clients:

----

http://www.xtremepccentral.com/forums/showthread.php?t=28430&page=3

People such as THRONKA @ XtremePCCentral.com here stated, verbatim by he:

"Its 2009 - still trouble free! I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008. Great stuff!"

----

apk