Slashdot Mirror
The Security Industry Is Failing Miserably At Fixing Underlying Dangers
cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.
It seems like his solution is: Simply don't release code that has bugs in it. Which is kind of like saying that the airline industry would be so much more efficient if we could just get rid of wind resistance.
I read the internet for the articles.
"We have no consequences for sloppy design and we don't hold organizations accountable for bad things."
But there sure is a lot of money in selling threat paranoia.
Plus software vendors are apparently immune from product liability, so they never bear any costs for defects that lead to poor security or for implementing security poorly. If they had liability for this I think you'd see a lot fewer security defects, but probably a lot fewer features as well.
... substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday.
I do have a to agree in that the current development style/strategy (agile development) is less geared towards solid development and more on features and getting stuff out there. I think the article is just saying that they should do less of pushing out features and new things and more on good programming/fix known bugs. Of course putting out a bugless program is near impossible, but there's a difference in better prevention versus better clean-up.
please... let me sleep... a little more... yay, no longer annonmyous coward.
its a n underrated point - why don't software engineers have to make products as reliable and good as more expensive engineering projects... and I think the clue in is that question.
Why can't a software engineer make something that is as reliable as a bridge? Because a bridge costs a flipping fortune and can't really be reworked after implementation, so there's a huge incentive to get the entire team together to get it right. And that means the people who really make the bridge are the architects and project managers. In software terms, we have few architects and they're usually crap ex-developers who think they know it all, and project managers who are incompetents who think it was a job they can hide their lack of skill in. Meanwhile you have a load of developers who think they are the only ones who can do the job.
A really good software project would require a technical architect who really understood what was happening and how things worked, and a project manager who understood timescales based on experience and managing the project deliveries and organisation.
It would also require a project based on old technologies - no-one really has time to get to grips with something like 'real' engineers have to do because the platform they stand on gets whipped out from under them all the damn time - which is also a problem as the idiots who don't know a thing use this as an excuse to hide their lack of talent too (how many times have you heard that someone wants to rewrite in cool new technology almost for the sake of it - you can guarantee its because they can't hack doing the boring work maintaining or improving the old stuff, a lack of skill they'd still have if they did get to rewrite - no rewrite ever is any good, its almost always an even worse PoS).
So all in all, there's a huge lack of professionalism in software caused by a lot of factors but I think the biggest one is the real lack of earned experience. We don't allow the good stuff to be built upon, we throw it away and start again with something else. We throw the good staff away and say they're not keeping up with technology. We hire kids because they have some buzzword on their CV.
Anyway, we don't hold software engineers to the same high standards because we refuse to accept old, working stuff. We only want cheap new shiny crap. Its no wonder the software world has turned out like it has.
Cite your sources.
Which has more power: the hammer, or the anvil?
The "Security Industry" makes money for the shareholders selling "stuff". Any time they see a problem, they will treat it as an opportunity to sell more stuff, since that is how they make money. If the problem is because the customer has already bought too much stuff, they will still try to sell the customer more stuff since THAT IS WHAT THEY DO.
So if you want to be secure, what do you do? We all know: You get rid of crappy software, simplify your systems, remove unnecessary cruft and hire developers, network systems people and architects who can build you what you need securely. You do NOT hire the cheapest meat puppets who can find the company website and spell "javascript" and you don't outsource your security to the lowest bidder.
This requires real effort on the part of the company paying for all this: They need to recognize that the "Security Industry" and their shiny, happy sales droids are just parasites ripping off the public with the "latest and greatest security stuff that will really protect you this time I promise not like all the other times, I really really mean it THIS time!".
They really need to understand that the RIGHT way to GET Security is to design it in, have the right people building and managing it and proper oversight over all of it. To do that you have to treat it as a profession and a core part of what the company does, not as a "service" or "product" that can be "bought in" or "outsourced" to a low bidder.
Security needs to be treated as a profession in any company with a significant cyber presence, just like the accounting them, the legal team and the core business functions. Pretending it's "just something that we can buy from a vendor" is short sighted and ignorant.
Sometimes the "writing on the wall" is blood spatter...
Thanks to all of this, and the NSA/GCHQ Orwellian Internet world, I no longer do any commerce online.
Online for me now is chatting, posting, blogging, /., emailing, sharing source code.
I no longer do any purchases, or access any online systems that deal with money (banks, credit unions, etc), via the Internet.
Even in the real world, I try to only get my cash via walk-up to a bank teller. No more ATM use. No more credit card/debit card use, if I can at all help it.
Is trying to do a cash-only lifestyle a total time suck, and inconvenient? Yep.
I am certain I can still be a victim, but I am doing what little I can to not be an easier target.
"Always look on the bright, side of life..." -- Monty Python
Uh, Linux geek since 1999.
Today during an architectural review.... (Architect) Where is the performance data? (Developer) I planned on doing that during a later sprint. (Architect) Can you guarantee that it will get done? (Developer) We can just roll this to production, it's not used anywhere. (Architect) facepalm, facepalm, facepalm....
Well what else is there to do? The Security guys have to deal with a plethora of headaches, including demanding (but clueless) PHBs, commercial software houses whose idea of secure code is to patch it only after holes are found/exploited, and the need to make these things usable.
I mean, seriously - you can make something uber-secure, but you still gotta use the thing.
Besides, the most substantial underlying problem isn't the software, but the idiot behind the keyboard, and there's no fixing that.
Mind you, I agree that software should be vetted for security flaws and issues. I detest asshat software houses who have the motto of 'Release Date Uber Alles'. I also agree that aggressive release schedules and the too-often-piss-poor implementation of Agile bears a very substantial chunk of the blame.
BUT - the days of glaringly obvious vulns are so rare now that they're pretty much nonexistent these days (with but a very small handful of exceptions.) There's also the problem that one can write the most secure software practical, but then $OS_Maker decides to patch/change something (esp. in memory-handling), which in turn opens a hole in your product that you could have never anticipated.
I think TFA did two things wrong - one, he focused on one thing when security requires focusing on multiple things he gave nary a mention to (including that big fat variable also known as the user), and two, I do think that while yeah it's fun to poke at developers and blame them for stuff, asking for them to be psychic is a bit of a stretch. I say this because most software houses are honest about how they write code, and they do at least a modicum of diligence in that direction... yet they get raked over the coals when some ungodly complex vuln pops up that no human being could have anticipated (but at least one human being managed to stumble across.)
Quo usque tandem abutere, Nimbus, patientia nostra?
Sorry, and I know I'll be very unpopular for this, but the blame is on YOU. Yes, YOU. You there who always have to buy the latest and greatest turd that someone puts into a shiny, sleek piece of plastic and calls it the NEW $whatevergadget. As long as you buy buggy, crappy, spyware-attracting, insecure shit just because OHHHH! SHINY! you get what you deserve.
Welcome to capitalism. If I can sell you a piece of turd that stinks, why should I waste money on perfume?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I use to have a retirement account with a certain financial services company. They stored my password in plain text. To recover your password they would physically mail it to you. This kind of stupidity should be illegal. It should be criminal and the company should have to pay fines for being asshats.
Companies don't fix underlying problems because management doesn't see any value in doing so. They also see no risk in having insecure products. Until there are real financial penalties for blatant incompetence regarding security nothing will improve.
Just because this thread needs a car analogy, too: Antivirus is no solution for crappy software any more than safety belts are a solution for faulty brakes.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Uh, Gene *IS* an expert. He was one of the first guys to dissect the Morris worm, for example. He's been around from the beginning.
http://en.wikipedia.org/wiki/Gene_Spafford
Maybe you should go FIND a fuck to give.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Software development requires balancing functionality and security with the amount of time and money you are willing to spend. Defining and enforcing internal basic safety related development guidelines on every project can help reduce the risk. Software has a relatively short shelf life. By the time you totally secure something you will be lucky if the software is still relevant. We have operating systems over 25 years old that are no where near 100% secure because the technology environment the software runs on has never stopped changing. Plus you usually start adding new functionality and correct functionality bugs and other short comings immediately after each release. It's not as bad today as it was in the late 80's and 90's when new operating systems, hardware, and development platforms were being rolled out on what seemed like a weekly basis. I think people are trying to do their best today and the security awareness has increased where once upon a time it was almost a non-factor when organizing development projects. Most of todays cyber crime exploits take advantage of atrocious system administration, social engineering, and inside information. Companies that tightly restrict or even forbid internet access from within the corporate network can drastically reduce or even eliminate vulnerabilities if you also tightly restrict the use of external storage devices. Stuxnext is one of the most publicized hacks and it was delivered on a USB drive but it was hardly the first or last example of this type of attack.
I find that a group of novices is just fine to work with as long as there is somebody with enough experience to guide them (in this case that somebody being myself)
Nobody sticks around longer than a week, huh?
You can't spell "oneiromancy" without "roman".