GEEKONOMICS

The SANS Institute and MITRE just released the Top 25 Most Dangerous Programming Errors. This is one small step for man, as the saying goes, but the giant leap remains some distance off.

As many of the list's authors commented regarding the Top 25, this list represents a “first step.” And an important first step it is, but much work remains. Lists are not new to the InfoSec arena. The SANS Top 20, a list of the top 10 vulnerabilities for both Windows and Unix, has been around for over a decade without much improving cyber security (or software development practices for that matter which was the root cause of many of the top vulnerabilities). The OWASP Top 10 has been plagued by a similar lack of performance. One need only look at the sorry state of cyber security to realize this. This is not criticism. This is an important observation that technical endeavors do not necessarily reflect or significantly impact economic reality. Namely, a list is a tool; it is not an incentive. And in any human endeavor, incentives matter.

On the blog, “Wolfe’s Den,” Alexander Wolfe touches on this very issue.

More Than Coding Mistakes At Fault with Bad Software

To quote:

“…security-clueless coding isn't the only thing responsible for software that sucks. Sadly, most people in the industry know what the problem is. So why doesn't anyone ever do anything about it?

You old-timers -- programmers who worked in the business before the PC industry kicked the waterfall development model to the curb -- know what I'm talking about. That waterfall model was replaced by a process (and I use that word loosely) where the modus operandi was to cram in as many features as possible before the shipping cut-off date, and then fix the problems in beta.”

In other words, important incentives are missing. The absence of features is obvious to software buyers; the absence of security is not. There are few incentives for software manufacturers to create high quality, secure software, thus such software is under-supplied in favor of feature-rich software despite obvious need otherwise. What Alexander Wolfe implicitly questions is this: if incentives to create better software remain absent, then what good is a Top 25?

A logical retort might be, “well, using the Top 25, software buyers will be able to buy much safer software; demand will increase for safer software and so too will the incentive to increase supply.” And to a degree this is true. The Top 25 has already been adopted by the State of New York and other state governments. But the same argument could have and has been made for the OWASP Top 10, or the SANS Top 20, or the CIS Benchmarks. Each has had individual (and important) wins in the market place such as the Air Force’s Standard Desktop Configuration or the inclusion of the OWASP Top 10 in the PCI standard. And yet cyber security on the whole still languishes.

The problem has been that while some might adopt a given list or benchmark, many do not, thus diluting incentives for software manufacturers to respond accordingly. In simple terms, for every buyer that employs the list/benchmark there are thousands that do not. While some positive externalities are created by those that employ a list/benchmark, it has clearly not been enough.

Don’t get me wrong. That the State of New York and other states are using the Top 25 is promising. Such individual initiatives are necessary and needed at this point in time, but do not mistake these as sufficient. Such individual initiatives are monstrously inefficient because each software buyer must negotiate terms separately. This is expensive both for buyers and sellers no matter how wonderful the Top 25 might be.

Second, to employ a given list or benchmark effectively, especially in a market environment, requires software buyers to employ knowledge, desire, and effort (don’t forget money). Consider for a moment the resources expended by the Air Force in negotiating specifics for its desktop configuration and you’ll get an inkling of the problem. This was no small feat. Not everyone has the Air Force’s (or New York’s) resources, knowledge, desire, or money. Such characteristics are inconsistently distributed across the population. Inconsistent commitment and lack of coordination among market participants represents a significant barrier to improving cyber security for the nation.

The Giant Leap then is to influence software buyers to adopt the Top 25 on a sufficiently broad scale that national and economic security is positively influenced. Individual buyers should not be forced to contract for the Top 25, nor can adoption of the Top 25 be left to the market alone. As the CSIS Commission on Cybersecurity for the 44th Presidency stated in its report, market forces are ill-equipped to meet national security and public safety requirements.

This is why I strongly favor a federally-backed software assurance labeling regime [see Democratizing Cyber Security for details] using the Top 25 as an important (but initial) technical baseline. A labeling regime is far more efficient than individual initiatives and it does not “force” or compel buyers to negotiate terms they may have little desire to negotiate. A labeling regime simply makes visible the intangibility of software security and allows the market to price (and thus incentivize) security accordingly.

The Top 25 should be celebrated loudly and well.  But after the congratulations we should sit back and ask ourselves the question posed by Alexander Wolfe, “we know what the problem is, so why doesn’t anyone ever do anything about it?”