Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is an internationally recognized information security professional and an accomplished educator and visionary. For a decade he has advised, counseled, and defended global IT networks for government and private industry.

    David has been awarded by the U.S. Department of Defense for “significant contributions” advancing security of critical national infrastructure and global networks. Additionally, David has authored numerous IT security courses and publications, teaches for the prestigious SANS Institute, and has served as adjunct faculty at James Madison University. He is a frequent speaker at information security conferences and currently Director of The Monterey Group.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« August 2008 | Main | October 2008 »

September 2008

September 29, 2008

Open, But Unclear

Security of Open Source Software Remains Frustratingly Opaque

In July, Fortify Software reported on the state of security in Open Source software (Open Source Projects Fall Short on Security).

To quote:

Enterprises often rely on open source software to save development time and money, but they shouldn't rely on open source for good security, according to a study released today. The review of 11 popular projects revealed numerous vulnerabilities and a general absence of sound security practices…the study found that open source developers need to pay more serious attention to security, and enterprises should treat open source with healthy skepticism as they integrate it into their businesses.

However, a Coverity report released around the same time seemed to contradict Fortify's findings.

Coverity's David Maxwell on Quality Issues in Open Source Software

To quote:

Open source software just keeps getting better, according to a new report from Coverity, a San Francisco-based maker of source code analysis tools.

Specifically, Coverity's Scan Report on Open Source Software 2008, released last month, found a 16 percent reduction in static analysis defect density in the open source  software it analyzed over the past two years, reflecting the elimination of more than 8,500 individual defects.

David Maxwell, Coverity's open source strategist interviewed for the article, goes on to state:

Between our first analysis and our most recent one, covering a span of two years, some projects have regressed, but the quality of many projects has improved. The difficulty, of course, is that since open source software covers a whole range of developer experience and code maturity, it's impossible to give one number to represent quality over time. The purpose [of Coverity's testing of open source software] has been to raise maturity to a higher level more quickly than other methods could achieve.

At base, Fortify looked at "11 popular projects" while Coverity focused on "the biggest open source projects." Some projects have improved in quality and security and others regressed from the viewpoint of Coverity's report while Fortify's report strongly asserts that security was not "taken seriously" in the first place by many popular open source projects. The result is contradictory and confusing messages that muddle further the already muddled state of Open Source security.

That some open source projects are "good at security" is laudable, but in the arena of international cyber-craft, it is simply not enough. Customers need clear, reliable, observable signals that overcome the asymmetric information problem and that motivate software manufacturers, whatever their stripe, to regularly produce software that can withstand highly foreseeable events. "Many eyes," while a favored philosophy of the open source movement, does not itself reliably or consistently communicate quality or security to other market participants. As such, many eyes fails to satisfy this need. In contrast, objective evaluation reports are helpful in moving toward customer-centric signals. This is why Coverity's and Fortify's efforts are so necessary and contradictory reports so frustrating.

In the end, an important lesson might be highlighted for both the Open Source and Information Security communities: Open is not the same as clear.

Posted on September 29, 2008 | | Comments (0) | TrackBack (0)

September 23, 2008

Microsoft: Opening Their Development Practices

A good move, but more is needed.

Microsoft is opening its internally crafted Security Development Lifecycle (SDL) to customers through a variety of new initiatives and is starting a program for third-party consultancies called SDL Pro Network "through which Microsoft customers will be able to learn the secure development processes that the company has created in the last four years for developer training, defining design objectives and implementation of best practices." [Fisher].

This is good.

Microsoft is certainly helping the entire software community by releasing this information and it will undoubtedly help some write better, safer, more secure software. But there remains the option of hundreds of thousands of developers and software manufacturers to abstain from leveraging this or other related information. This is true for two reasons:

1. Software manufacturers choose independently of all others to what depth and degree to pursue secure development practices.

2. Security is still not part of market competition.

As much as Microsoft should be applauded for its efforts (I clapped when I heard the news), it must be remembered that Microsoft did not start its security efforts in earnest until after the company had attained 90 percent of the desktop market and some 40 percent of the server market. This is a model that many software manufacturers still rabidly pursue and can pursue because the market does not "see" security until the absence is all too clear.  Security is, and remains, a missing and invisible criterion in the market's beauty contest.

Microsoft is making a good move by releasing its program to others, but astute readers understand this does not alter current market incentives. Microsoft may be powerful, but alas it is not that powerful. The rush-to-the-mountaintop still means that software manufacturers who might be well-intentioned regarding security and who may adopt Microsoft's SDL guidance must compete with a majority of those that are free to avoid such a burden. 

And that, is what needs to change.

Posted on September 23, 2008 | | Comments (0) | TrackBack (0)

September 02, 2008

Sitting Ducks In A Stagnant Quagmire

Needed: Leader, Champion, President

A general principle of conflict is this:

    Set the rhythm and pace of battle, or your adversary will do it for you.

This is true in business, warfare, sport, and even politics as the current election activities of Mssrs Obama and McCain demonstrate ("define to voters yourself and your opponent before your opponent does"). Failure to abide by this principle risks triumph and might even foretell calamity. Unfortunately, the current state of national cyber security for the United States and many other countries appear to be doing just that. Adversaries are setting the pace of battle and defining the time and place of assault in cyber space...not defenders, not law enforcement, and certainly not legislatures, at least not in any meaningful way. This is worrisome. It is also unacceptable.

We indeed have cause for concern. Being a target does not make a good first impression. This is true in almost any circumstance. This is especially true in cyber space. Unrelenting software vulnerabilities, rampant and complex configuration mandates, fragmented and incomplete cyber protection solutions, and a general lack of accountability on all except for consumers makes cyberspace a veritable cornucopia of weakness, disorder, and mayhem. It also invites more of the same. Defenders scramble to the walls hoping for the best; regularly spending billions of dollars on being little more than targets and victims.

It is no wonder that cyber criminal and espionage activities proliferate while we congratulate ourselves for the paltry increase in captures, indictments, and arrests of perpetrators. The Internet is a target rich environment. Cyber attackers know this. For every attacker we catch, one hundred are there to fill the spot. Improved global cooperation between local law enforcement agencies certainly helps, but capture is far from a compelling disincentive given all that is at stake and all that is made available by computer systems brimming with flaws. The current State of the Internet invites and evolves cyber attackers while placing users and defenders of cyber space at a substantial and on-going disadvantage.

And it just got worse.

Recently, the LA Times published the following article:

Public, private sectors at odds over cyber security

To quote:

Three very big and very different computer security breaches that have dominated recent headlines did more than show how badly the Internet needs major repairs. They also exposed the huge rift between corporate America and the federal government over who should fix it, cyber-security experts say.

In the last few months, law enforcement officials cracked an international ring that tapped customer databases and trafficked in tens of millions of credit card numbers; a researcher uncovered a major flaw that permits hackers to steer some Web surfers to fake versions of popular websites filled with malicious software; and computer assaults, which some researchers said they had traced back to Russia's state-run telecommunications firms, crippled websites belonging to the country of Georgia.

Yet the episodes did little to boost cyber security higher on the agendas of the federal government or the two major presidential candidates.

"Nothing is happening," said Jerry Dixon, the former director of the National Cyber Security Division at the Department of Homeland Security. "This has got to be in the top five national security priorities."

Dixon is just one of hundreds of technology executives and experts who have been saying for years that Washington needs to do much more to protect consumers, businesses and the government itself from attacks by criminal hackers and those supported by rival nations.

The government has largely argued that the private sector is better suited to tackle the broader problem.

But big corporations say it's too big for them to handle. They say the Internet's technical underpinnings, which are loosely administered by the Commerce Department, need a major overhaul to eliminate vulnerabilities.

To summarize the article in very simple terms, Internet users - individuals, corporations, business, and government itself - are sitting ducks in a stagnant quagmire created by indecision and finger pointing. No one wants to own this issue, and are more than happy to leave the burden of cyber security on consumers who have very little voice, very little coordinated power, and are least qualified to handle the burden. 

This is shameful.

The Internet's technical underpinnings indeed do need a major overhaul to eliminate vulnerabilities. The Internet is made of software...insecure software...terabytes of it...and if we are to start defining the rhythm and pace of battle, insecure software is a wonderful place to start. Attackers do not break software; attackers discover flaws manufacturers failed to detect themselves before product release.  Reduce software vulnerabilities and reduce one of the primary advantages for cyber attackers. In other words, unrestrained vulnerability dumping by software manufacturers onto other market participants must end. Period.

The software industry has been inappropriately treated with kid gloves far beyond its infancy for fear of hurting innovation. This is understandable, but entirely indefensible. Innovation without accountability has proven disastrous in other industries. It is difficult to imagine how the software industry might be magically immune to what others are not. The software industry is a major player in the economy and affects a major portion of the economy. The industry operates well within the big leagues of commerce now and should now play by big league rules.

Big Pharma and Big Auto remain innovative - wildly innovative - despite regulatory oversight and enormous financial and legal accountability for possible blunders. And though the price of these products may appear high to some, such pricing reflects the social costs of their activities which before only customers paid  - unexpectedly and without warning.

Time and time again manufacturers have been shown to be the least cost avoiders...the ones most appropriate to bear the burden of defects and damages they themselves created. Stop software manufacturers from regularly dumping vulnerabilities into cyberspace without paying the social costs of such activities. Software might indeed become more expensive, but it is already inexcusably expensive in time and/or money for what we get (and more importantly do not get).

The software industry must no longer be permitted to release preventable and detectable flaws into the global stream of commerce nor be permitted to release products that are unable to withstand highly foreseeable cyber attacks without paying the associated social costs. Relying on the good will of individual software manufacturers to consistently produce secure software is too uneven and too arbitrary to base our personal, economic, and national security upon.

To set the pace of battle requires us to end our squabbling, resist off-loading responsibilities, cease abdicating defense to the unqualified, quell unrestrained vulnerability dumping into the market place, and to own this issue like a nation-state concerned about its security should.

The next President of the United States needs to take ownership of this critical issue; to lead where others have clearly chosen not to. "We cannot expect the Congress and the Federal Government to stand idly by if the toll of disaster continues to go unchecked." These words, spoken by President Harry S. Truman in 1946 started the wheels in motion to make safety on U.S. roads a reality. He was a champion, a leader, and an example of how the next President should approach cyber security for the Information Superhighway. Truman's words and actions, along with Presidents Eisenhower and Johnson finally debunked the old "truths" of highway safety:

- that safety was only a State responsibility

- that drivers could be convinced or taught to drive more safely

- that the automobile industry was capable of set its own rules and standards for safety

The ever increasing rate of fatalities and injuries on highways provided plenty of evidence to debunk these old truths. So too, does the ever increasing rate of cyber crime, cyber espionage, and cyber attacks on the Internet debunk the old "truths" of cyber security:

- that security is only a network owner's responsibility

- that computer users can be convinced or taught to configure their systems securely

- that the software industry is capable of setting its own rules and standards for secure software

Mr. McCain or Mr. Obama needs to champion the security of the cyber infrastructure in the same manner as his predecessors championed highway safety; to ensure that the cyber infrastructure of our lives and our livelihoods is suitable to the task, that it can withstand highly foreseeable malicious activities, and that accountability is balanced among market participants. Failing to do so promises to increase the number of sitting ducks and make the stagnant quagmire of collective indecisiveness all the more repugnant.

Posted on September 02, 2008 | | Comments (0) | TrackBack (0)