David Rice is an internationally recognized information security professional and an accomplished educator and visionary. For a decade he has advised, counseled, and defended global IT networks for government and private industry.
David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. Additionally, David has authored numerous IT security courses and publications, teaches for the prestigious SANS Institute, and has served as adjunct faculty at James Madison University. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.
The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.
The Japanese edition of Geekonomics is now available.
The next iteration of BSIMM was released today (BSIMM2). Like its predecessor, BSIMM2 is a descriptive model for software security, but with more data…and this is important.
One of the great challenges in business is the ability to simply figure out where you stand in comparison to your peers and competitors. In other words, executives often attempt to “look left, look right,” and then figure out where they stand. Business leaders don’t really need to know what they should do – that’s what business schools are for – they want, and need, to know what is going on in the field and how to adjust to it. The problem is, looking left and right is not always easy for business leaders…and is certainly not always easy for security leaders. The list of shoulds is long and exhaustive in the security space, and not always helpful. What is actually going on in the field is oftentimes less clear.
This is one of the reasons why BSIMM keeps getting better. The newest release of BSIMM includes spider charts based on observations across 30 firms with skin in the software game (Adobe, EMC, Google, Intel, Capital One, Microsoft, and Sallie Mae to name a few). Page 10 should draw particular interest as it is a comparative chart between ISVs and financial services firms. As banal as spider charts might seem to the typical techie, they are a powerful communication tool that should prove especially helpful to software security leaders, advocates, and evangelists.
First and foremost, software leaders now have a reasonably strong ability to “look left, look right” and figure out where they stand based on real field data. For some sectors (such as retail or manufacturing) comparisons against ISVs or financial services firms might appear less helpful, but eighty percent of success is simply finding a place to start. The BSIMM2 charts are as good a place as any. The ability to “look left, look right” has profound implications for how firms deliver (and ask for) secure software.
Second, graphs provide at-a-glance comparisons that spark powerful conversations….and that is critical in my eyes. Prescriptions – especially security prescriptions - tend to put people (i.e., executive managers that must allocate budget) on the defensive. Prescriptions shut down the opportunity for two-way discussions. Prescriptions promote the tendency of security folks to yammer on about risk, and controls, and countermeasures, and APT, and passwords, and hackers, and whatever else we think business leaders must absolutely know about, but don’t seem to understand no matter how many times we keep repeating it, again, and again, and again, and again. In comparison, a chart simply gives us a chance to shut up and listen. Enough said.
Third and finally, I care deeply about software. Software is perhaps one of our greatest creations as a species. In 40,000 years, we went from stone tools to the iPhone. Software is a universal tool with almost unlimited possibilities - much like us. In my eyes, software should be an expression of our greatness, not evidence of our inattention. To date, the United States is getting absolutely hammered by cyber attacks. The Aurora attacks are likely just the tip of the iceberg; it is a drubbing which is due, in part, to our inattention, to a sorry history of failing to build quality and security into our own software from the start and finding out only after it is too late. This is why the authors’ drive for intellectual rigor in the midst of an on-going national disaster is so courageous and desperately needed. BSIMM2 should help us expose inattention more quickly, but more importantly, help us express our greatness more fully. That is a very good thing.
Apple delivers record monster security update
Becoming wildly popular has benefits; it also has repercussions. According to a Computerworld article:
Apple [yesterday] patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems.
"The sheer number, it's almost so daunting that you don't even want to look," said Andrew Storms, director of security operations at nCircle Network Security.
On the contrary, we need to take a look; a very hard look. The grueling spotlight of popularity makes blemishes all too conspicuous in software products, but by then, it is too late: customers become unwitting targets for cyber attackers. As Apple increased in popularity, so did its customer's exposure - specifically, latent security defects that jeopardized Apple's loyal followers. The graph below illustrates the rise of disclosed vulnerabilities in Apple products compared to market share.
The 2004 to 2005 time frame shows a marked increase in number of disclosed vulnerabilities as Apple market share improved from 3.4 percent to 4.35 percent. When market share reached 7.3 percent in 2007, disclosed vulnerabilities skyrocketed by 268 percent (from 2004). This suggests that security is not part of the popularity contest; that is, a drastically increasing number of vulnerabilities did not negatively impact Apple's market share. Security is highly decoupled from other competitive pressures and thus software manufacturers can largely ignore software security without fearing customer backlash.
Of course, strong opposition exists to employing software vulnerabilities as a measure of security. Still others argue that it is not number of vulnerabilities, but number of exploits that matter most. Both arguments have some merit. But vulnerabilities give cyber attackers an unacceptable advantage. Vulnerabilities are indicative of poorly written, poorly designed software. Vulnerabilities signal attackers which in turn invites more attackers to search for other vulnerabilities the software manufacturer failed to detect before releasing the product. Vulnerabilities jeopardize customers. Period.
Perfect software is not possible, but it could be suggested that buyers tolerate far too much imperfection, and discover the degree of imperfection far too late to sufficiently counter risks to themselves or significantly alter the behaviors of software manufacturers that introduce those risks in the first place.
The Chinese edition of Geekonomics is now available.
