Re: [SC-L] Why Software Will Continue to Be Vulnerable
ljknews wrote: >At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote: > >>Yet, despite that pessimistic outlook -- and the survey that >>forked this thread -- I do think that companies are demanding >>more in software security, even though consumers are not. >> >Companies value time spent on cleanup more than consumers do. > And in this morning's mailbox, we see some evidence to support the claim that business is considerably less impressed with software quality http://www.informationweek.com/story/showArticle.jhtml;jsessionid=IMYCZLJPHKPNMQSNDBCSKH0CJUMEKJVN?articleID=161601417 Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Re: [SC-L] Why Software Will Continue to Be Vulnerable
On 5/2/05, Kenneth R. van Wyk <[EMAIL PROTECTED]> wrote: > Michael Silk wrote: > >I honestly don't believe that the consumers will _EVER_ care, and I > >don't believe that should have to. At most maybe they should just need > >to keep an eye out for a sticker, or star-rating (government approved) > >or something. But as you say, 'security' is 'hard to measure', so an > >approach like that won't work. > > As the saying goes, give the consumer the choice between security and > dancing pigs, and they'll pick dancing pigs every single time. There's > probably more than just a grain of truth to that. I would too; I've never seen a dancing pig ... :) > Yet, despite that pessimistic outlook -- and the survey that forked this > thread -- I do think that companies are demanding more in software > security, even though consumers are not. I'm not aware of surveys that > directly address that, but it sure seems obvious to me that they are. Demanding more maybe, but getting charged for it too... so the problem is still there: security as a 'feature'. 'Security' needs to become a baseline, just like any other programming construct (maths, ...) But anyway, ... > Here's to wishful thinking, anyway! Agreed! -- Michael
Re: [SC-L] Why Software Will Continue to Be Vulnerable
At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote: > Yet, despite that pessimistic outlook -- and the survey that > forked this thread -- I do think that companies are demanding > more in software security, even though consumers are not. Companies value time spent on cleanup more than consumers do. -- Larry Kilgallen
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Michael Silk wrote: I honestly don't believe that the consumers will _EVER_ care, and I don't believe that should have to. At most maybe they should just need to keep an eye out for a sticker, or star-rating (government approved) or something. But as you say, 'security' is 'hard to measure', so an approach like that won't work. As the saying goes, give the consumer the choice between security and dancing pigs, and they'll pick dancing pigs every single time. There's probably more than just a grain of truth to that. Yet, despite that pessimistic outlook -- and the survey that forked this thread -- I do think that companies are demanding more in software security, even though consumers are not. I'm not aware of surveys that directly address that, but it sure seems obvious to me that they are. Here's to wishful thinking, anyway! Cheers, Ken van Wyk
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Inline.. On 5/2/05, Jeff Williams <[EMAIL PROTECTED]> wrote: > > What really mystifies me is the anlogy to fire insurance. *Everyone* > > keeps their fire insurance up to date, it costs money, and it protects > > against a very rare event that most fire insurance customers have never > > experienced. What is it that makes consumers exercise prudent good > > sense for fire insurance, but not in selecting software? > > Fire safety is physical, not tremendously complicated, and we have tons of > actuarial data. Software security, on the other hand, is extremely difficult > for anyone to measure -- it takes a lot of effort, even with the most > advanced tools and knowledge. > > So there's no way for anyone to tell which software is secure. Many vendors > make dramatically inflated claims about their product's security features > and rarely get called on them. For example, there are dozens of vendors > claiming that their technology solves the OWASP Top Ten -- which is > ridiculous. > > Anyway, it's not surprising to me that consumers aren't seeking out > security. Or that vendors aren't providing it for that matter. In my > opinion, the market is broken because of asymmetric information, and it will > never work until we find ways to make security more visible to everyone. To whom, though? I honestly don't believe that the consumers will _EVER_ care, and I don't believe that should have to. At most maybe they should just need to keep an eye out for a sticker, or star-rating (government approved) or something. But as you say, 'security' is 'hard to measure', so an approach like that won't work. Maybe there is no answer, and the problem will never be fixed ... it's probably sad but true that companies won't allow 'security' to be added, or they will at least charge for it because it's now widely accepted that 'security' is 'feature' not a requirement. And consumers will never care; look at health warnings on cigarettes for example (at least in australia): "Smoking causes cancer.", yet people still smoke. It will be exactly the same with software. jmho... -- Michael
Re: [SC-L] Why Software Will Continue to Be Vulnerable
What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software? Fire safety is physical, not tremendously complicated, and we have tons of actuarial data. Software security, on the other hand, is extremely difficult for anyone to measure -- it takes a lot of effort, even with the most advanced tools and knowledge. So there's no way for anyone to tell which software is secure. Many vendors make dramatically inflated claims about their product's security features and rarely get called on them. For example, there are dozens of vendors claiming that their technology solves the OWASP Top Ten -- which is ridiculous. Anyway, it's not surprising to me that consumers aren't seeking out security. Or that vendors aren't providing it for that matter. In my opinion, the market is broken because of asymmetric information, and it will never work until we find ways to make security more visible to everyone. I did a talk on this at the NSA High Confidence Software and Solutions conference a few weeks back. The slides are here http://www.aspectsecurity.com/documents/Aspect_HCSS_Brief.ppt. --Jeff Jeff Williams Aspect Security, Inc. www.aspectsecurity.com
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Crispin Cowan <[EMAIL PROTECTED]> wrote: > ISPs could also position a non-restricted account as an "expert" > account and charge extra for it. That already happens in many cases, except they call it a "business class" account. The only one I've heard called some kind of "expert" account is that Speakeasy has packages with different sets of extras for the same price, such as SysAdmin (access to their rpmfind mirror), Gamer (access to gaming servers), and one I forget the name of (access to music servers). All of the above allow you to run your own swervers. -Dave
RE: [SC-L] Why Software Will Continue to Be Vulnerable
> -Original Message- > From: [EMAIL PROTECTED] > Sent: Friday, April 29, 2005 2:32 PM > To: SC-L > Subject: [SC-L] Why Software Will Continue to Be Vulnerable > > This makes it highly unlikely that software companies are > about to start dumping large quantities of $$ into improving software quality. > That's interesting. And yet it's even worse than that. Software security for the most part is not yet a *business* problem. Most businesses (at least, that I deal with) still see software security as a "feature" problem (ie.-we'll add it in version 1.1), an operational problem (e.g.-network security), or a process problem (e.g.--log review or some such nonsense that they don't likely do anyway). Even worse, security folks that don't understand the problem make the issue political as they try advance their careers by solving the problem with lots of "security appliance" widgets and scanners and such (which they don't understand either). So you have (1) lack of public perception that there is an issue, (2) lack of business perception that it's their issue, and (3) Information Security Managers/CISOs trying to solve a business problem with more technology. But all is not lost. There are still drivers: 1. Regulations. SB 1386 is starting to make a large impact in business perceptions. 2. Standards & Certifications: albeit there is really an utter lack of Standards/Certs for software security, business are starting to look for these; several I'm dealing with are looking for these as selling features. e.g.--Our widget is more security that Competitor Y's widget because it is certified "secure software". 3. Real world compromises. Take something as simple as XSS. How do you take is seriously when NO ONE is exploiting it? (I know of only a small handful of cases between 2000 to 2003.) But that all changed in 2004, particularly December 2004 when there were a string of advanced XSS attacks against financial institutions. (While there are some cool examples from 2004 that I use a lot in presentations none I repeat none have any meaningful loss numbers associated with them that I am aware of.) -ae
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Greenarrow 1 wrote: >But, the problem I see with this survey is they only polled 1,000 out of >what over 5 million users in the USofA. Political pollsters regularly sample 1000 Americans to get a prediction of 100,000 voters that is accurate to 5% or so. 1000 people should be sufficient to sample software users, unless there is something else wrong with the sample or the questions. > Just randomly suppose they >accidently picked everyone that >has superb software and hardware on their systems (unlikely but probable). > Just what does "unlikely but probable" mean? To "suppose" this, we have to think there is something wrong with the sample or the questions. What is it you think is wrong with the sample or the questions? Or is it just that you find the result to be improbable? >On repairing systems for my customers I say 1 of of 20 are only satisfied >with their programs so who is right Harris Poll or my customers? No *there* is a skewed sample; the set of people currently experiencing a problem so severe that they have to call in a professioal to repair it. Under just about any circumstance, I would expect this group to be highly unsatisfied with vendors. It's like taking a survey of auto quality in the waiting room of a garage. What really mystifies me is the anlogy to fire insurance. *Everyone* keeps their fire insurance up to date, it costs money, and it protects against a very rare event that most fire insurance customers have never experienced. What is it that makes consumers exercise prudent good sense for fire insurance, but not in selecting software? The only factor I can think of is that mortgage carriers insist that their customers maintain fire insurance. No fire insurance, no loan, and most people cannot afford to pay cash for their home. So to impose a "prudence" requirement on software consumers, perhaps some outside force has to impose a "pay to play" requirement on them. Who could that be? IPSs, perhaps? Similar to mortgage companys, ISPs pay a lot of the cost of consumer software insecurity: vulnerable software leads to virus epidemics, and to botnets of spam relays. Perhaps if ISPs recognized the cost of consumer insecurity on their operations, they might start imposing minimum standards on consumer connections, and cutting them off if they fall below that standard. Larry Seltzer has advocated a form of this, that ISPs should block port 25 for consumer broadband in most cases http://www.eweek.com/article2/0,1759,1784276,00.asp There are several other actions that ISPs could take: * egress filtering on all outbound connections to block source IP spoofing * deploy NIPS on outbound traffic and disconnect customers who are emitting attacks * require customers to have some kind of personal firewall or host intrusion prevention The catch: the above moves are all costly and, to some degree, anti-competitive, in that they make the consumer's Internet connection less convenient. So to be successful, ISPs would have to position these moves as a "security enhancement" for the consumer, which AOL is doing with bundled antivirus service as advertised on TV. ISPs could also position a non-restricted account as an "expert" account and charge extra for it. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Re: [SC-L] Why Software Will Continue to Be Vulnerable
But, the problem I see with this survey is they only polled 1,000 out of what over 5 million users in the USofA. Just randomly suppose they accidently picked everyone that has superb software and hardware on their systems (unlikely but probable). On repairing systems for my customers I say 1 of of 20 are only satisfied with their programs so who is right Harris Poll or my customers? To me this is like the Tv ratings group with their poll which only sample less then 1/10 of the total tv population. Way to many options for flaws in this survey. I attend many forums and see lots of input about bad software and hardware but its to bad they do not complain to the maker. Regards, George Greenarrow1 InNetInvestigations-Forensics - Original Message - From: "Crispin Cowan" <[EMAIL PROTECTED]> To: "SC-L" Sent: Friday, April 29, 2005 12:32 PM Subject: [SC-L] Why Software Will Continue to Be Vulnerable > Here's a depressing survey > http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=161601958 > > It claims that a survey of adults asking them whether an industry was > doing "a generally good job or a bad job of serving their customers." To > come up with a final score in the annual survey, Harris subtracted the > negative responses from the positive responses. > > The sand result: software companies, as an industry, placed 4th in the > top 10 of this survey. That means that consumers are generally pretty > happy with the software they are buying. > > This makes it highly unlikely that software companies are about to start > dumping large quantities of $$ into improving software quality. > > Crispin > > -- > Crispin Cowan, Ph.D. http://immunix.com/~crispin/ > CTO, Immunix http://immunix.com >
[SC-L] Why Software Will Continue to Be Vulnerable
Here's a depressing survey http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=161601958 It claims that a survey of adults asking them whether an industry was doing "a generally good job or a bad job of serving their customers." To come up with a final score in the annual survey, Harris subtracted the negative responses from the positive responses. The sand result: software companies, as an industry, placed 4th in the top 10 of this survey. That means that consumers are generally pretty happy with the software they are buying. This makes it highly unlikely that software companies are about to start dumping large quantities of $$ into improving software quality. Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com