Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.

    Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« February 2010 | Main | April 2010 »

March 2010

March 30, 2010

Apple: The Grueling Spotlight of Popularity

Apple delivers record monster security update

Becoming wildly popular has benefits; it also has repercussions. According to a Computerworld article:

Apple [yesterday] patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems.

"The sheer number, it's almost so daunting that you don't even want to look," said Andrew Storms, director of security operations at nCircle Network Security.

On the contrary, we need to take a look; a very hard look. The grueling spotlight of popularity makes blemishes all too conspicuous in software products, but by then, it is too late: customers become unwitting targets for cyber attackers. As Apple increased in popularity, so did its customer's exposure - specifically, latent security defects that jeopardized Apple's loyal followers. The graph below illustrates the rise of disclosed vulnerabilities in Apple products compared to market share. 

MarketShare_vs_Vulnerabilities  

The 2004 to 2005 time frame shows a marked increase in number of disclosed vulnerabilities as Apple market share improved from 3.4 percent to 4.35 percent. When market share reached 7.3 percent in 2007, disclosed vulnerabilities skyrocketed by 268 percent (from 2004). This suggests that security is not part of the popularity contest; that is, a drastically increasing number of vulnerabilities did not negatively impact Apple's market share. Security is highly decoupled from other competitive pressures and thus software manufacturers can largely ignore software security without fearing customer backlash. 

Of course, strong opposition exists to employing software vulnerabilities as a measure of security. Still others argue that it is not number of vulnerabilities, but number of exploits that matter most. Both arguments have some merit. But vulnerabilities give cyber attackers an unacceptable advantage. Vulnerabilities are indicative of poorly written, poorly designed software. Vulnerabilities signal attackers which in turn invites more attackers to search for other vulnerabilities the software manufacturer failed to detect before releasing the product. Vulnerabilities jeopardize customers. Period.

Perfect software is not possible, but it could be suggested that buyers tolerate far too much imperfection, and discover the degree of imperfection far too late to sufficiently counter risks to themselves or significantly alter the behaviors of software manufacturers that introduce those risks in the first place. 

 

Posted on March 30, 2010 in Apple | | Comments (0) | TrackBack (0)

March 29, 2010

Geekonomics on Beyond the Perimeter with Amrit Williams (Part 1)

Amrit Williams, BigFix CTO, discusses Author David Rice’s concept of Geekonomics in this two part interview. We discuss:

  • My wardrobe of black Armani for my up-coming show on SciFi.
  • The absence of a brightline and why that's perverse.
  • The lessons of The Three E's (Engineering, Education, Enforcement).

Episode 82: Geekonomics and the Impact of Insecure Software, Part 1.

Posted on March 29, 2010 | | Comments (0) | TrackBack (0)

March 22, 2010

Geekonomics: Chinese Edition

The Chinese edition of Geekonomics is now available.

Geekonomics_ChineseEdition_med 

 
 

Posted on March 22, 2010 | | Comments (0) | TrackBack (0)