Re: [SC-L] Why Software Will Continue to Be Vulnerable
Greenarrow 1 wrote: But, the problem I see with this survey is they only polled 1,000 out of what over 5 million users in the USofA. Political pollsters regularly sample 1000 Americans to get a prediction of 100,000 voters that is accurate to 5% or so. 1000 people should be sufficient to sample software users, unless there is something else wrong with the sample or the questions. Just randomly suppose they accidently picked everyone that has superb software and hardware on their systems (unlikely but probable). Just what does unlikely but probable mean? To suppose this, we have to think there is something wrong with the sample or the questions. What is it you think is wrong with the sample or the questions? Or is it just that you find the result to be improbable? On repairing systems for my customers I say 1 of of 20 are only satisfied with their programs so who is right Harris Poll or my customers? No *there* is a skewed sample; the set of people currently experiencing a problem so severe that they have to call in a professioal to repair it. Under just about any circumstance, I would expect this group to be highly unsatisfied with vendors. It's like taking a survey of auto quality in the waiting room of a garage. What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software? The only factor I can think of is that mortgage carriers insist that their customers maintain fire insurance. No fire insurance, no loan, and most people cannot afford to pay cash for their home. So to impose a prudence requirement on software consumers, perhaps some outside force has to impose a pay to play requirement on them. Who could that be? IPSs, perhaps? Similar to mortgage companys, ISPs pay a lot of the cost of consumer software insecurity: vulnerable software leads to virus epidemics, and to botnets of spam relays. Perhaps if ISPs recognized the cost of consumer insecurity on their operations, they might start imposing minimum standards on consumer connections, and cutting them off if they fall below that standard. Larry Seltzer has advocated a form of this, that ISPs should block port 25 for consumer broadband in most cases http://www.eweek.com/article2/0,1759,1784276,00.asp There are several other actions that ISPs could take: * egress filtering on all outbound connections to block source IP spoofing * deploy NIPS on outbound traffic and disconnect customers who are emitting attacks * require customers to have some kind of personal firewall or host intrusion prevention The catch: the above moves are all costly and, to some degree, anti-competitive, in that they make the consumer's Internet connection less convenient. So to be successful, ISPs would have to position these moves as a security enhancement for the consumer, which AOL is doing with bundled antivirus service as advertised on TV. ISPs could also position a non-restricted account as an expert account and charge extra for it. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
RE: [SC-L] Why Software Will Continue to Be Vulnerable
-Original Message- From: [EMAIL PROTECTED] Sent: Friday, April 29, 2005 2:32 PM To: SC-L Subject: [SC-L] Why Software Will Continue to Be Vulnerable This makes it highly unlikely that software companies are about to start dumping large quantities of $$ into improving software quality. That's interesting. And yet it's even worse than that. Software security for the most part is not yet a *business* problem. Most businesses (at least, that I deal with) still see software security as a feature problem (ie.-we'll add it in version 1.1), an operational problem (e.g.-network security), or a process problem (e.g.--log review or some such nonsense that they don't likely do anyway). Even worse, security folks that don't understand the problem make the issue political as they try advance their careers by solving the problem with lots of security appliance widgets and scanners and such (which they don't understand either). So you have (1) lack of public perception that there is an issue, (2) lack of business perception that it's their issue, and (3) Information Security Managers/CISOs trying to solve a business problem with more technology. But all is not lost. There are still drivers: 1. Regulations. SB 1386 is starting to make a large impact in business perceptions. 2. Standards Certifications: albeit there is really an utter lack of Standards/Certs for software security, business are starting to look for these; several I'm dealing with are looking for these as selling features. e.g.--Our widget is more security that Competitor Y's widget because it is certified secure software. 3. Real world compromises. Take something as simple as XSS. How do you take is seriously when NO ONE is exploiting it? (I know of only a small handful of cases between 2000 to 2003.) But that all changed in 2004, particularly December 2004 when there were a string of advanced XSS attacks against financial institutions. (While there are some cool examples from 2004 that I use a lot in presentations none I repeat none have any meaningful loss numbers associated with them that I am aware of.) -ae
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Crispin Cowan [EMAIL PROTECTED] wrote: ISPs could also position a non-restricted account as an expert account and charge extra for it. That already happens in many cases, except they call it a business class account. The only one I've heard called some kind of expert account is that Speakeasy has packages with different sets of extras for the same price, such as SysAdmin (access to their rpmfind mirror), Gamer (access to gaming servers), and one I forget the name of (access to music servers). All of the above allow you to run your own swervers. -Dave
Re: [SC-L] Why Software Will Continue to Be Vulnerable
What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software? Fire safety is physical, not tremendously complicated, and we have tons of actuarial data. Software security, on the other hand, is extremely difficult for anyone to measure -- it takes a lot of effort, even with the most advanced tools and knowledge. So there's no way for anyone to tell which software is secure. Many vendors make dramatically inflated claims about their product's security features and rarely get called on them. For example, there are dozens of vendors claiming that their technology solves the OWASP Top Ten -- which is ridiculous. Anyway, it's not surprising to me that consumers aren't seeking out security. Or that vendors aren't providing it for that matter. In my opinion, the market is broken because of asymmetric information, and it will never work until we find ways to make security more visible to everyone. I did a talk on this at the NSA High Confidence Software and Solutions conference a few weeks back. The slides are here http://www.aspectsecurity.com/documents/Aspect_HCSS_Brief.ppt. --Jeff Jeff Williams Aspect Security, Inc. www.aspectsecurity.com
