Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-03 Thread Michael Silk
On 5/2/05, Kenneth R. van Wyk [EMAIL PROTECTED] wrote:
 Michael Silk wrote:
 I honestly don't believe that the consumers will _EVER_ care, and I
 don't believe that should have to. At most maybe they should just need
 to keep an eye out for a sticker, or star-rating (government approved)
 or something. But as you say, 'security' is 'hard to measure', so an
 approach like that won't work.
 
 As the saying goes, give the consumer the choice between security and
 dancing pigs, and they'll pick dancing pigs every single time.  There's
 probably more than just a grain of truth to that.

I would too; I've never seen a dancing pig ... :)

 
 Yet, despite that pessimistic outlook -- and the survey that forked this
 thread -- I do think that companies are demanding more in software
 security, even though consumers are not.  I'm not aware of surveys that
 directly address that, but it sure seems obvious to me that they are.

Demanding more maybe, but getting charged for it too... so the problem
is still there: security as a 'feature'. 'Security' needs to become a
baseline, just like any other programming construct (maths, ...) But
anyway, ...


 Here's to wishful thinking, anyway!

Agreed!

-- Michael




Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-03 Thread Crispin Cowan
ljknews wrote:
At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote:
  
Yet, despite that pessimistic outlook -- and the survey that
forked this thread -- I do think that companies are demanding
more in software security, even though consumers are not.

Companies value time spent on cleanup more than consumers do.
  

And in this morning's mailbox, we see some evidence to support the claim
that business is considerably less impressed with software quality
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=IMYCZLJPHKPNMQSNDBCSKH0CJUMEKJVN?articleID=161601417

Crispin
-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix  http://immunix.com




Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-02 Thread Michael Silk
Inline..

On 5/2/05, Jeff Williams [EMAIL PROTECTED] wrote:
  What really mystifies me is the anlogy to fire insurance. *Everyone*
  keeps their fire insurance up to date, it costs money, and it protects
  against a very rare event that most fire insurance customers have never
  experienced. What is it that makes consumers exercise prudent good
  sense for fire insurance, but not in selecting software?
 
 Fire safety is physical, not tremendously complicated, and we have tons of
 actuarial data. Software security, on the other hand, is extremely difficult
 for anyone to measure -- it takes a lot of effort, even with the most
 advanced tools and knowledge.
 
 So there's no way for anyone to tell which software is secure.  Many vendors
 make dramatically inflated claims about their product's security features
 and rarely get called on them.  For example, there are dozens of vendors
 claiming that their technology solves the OWASP Top Ten -- which is
 ridiculous.
 
 Anyway, it's not surprising to me that consumers aren't seeking out
 security.  Or that vendors aren't providing it for that matter.  In my
 opinion, the market is broken because of asymmetric information, and it will
 never work until we find ways to make security more visible to everyone.

To whom, though?

I honestly don't believe that the consumers will _EVER_ care, and I
don't believe that should have to. At most maybe they should just need
to keep an eye out for a sticker, or star-rating (government approved)
or something. But as you say, 'security' is 'hard to measure', so an
approach like that won't work.

Maybe there is no answer, and the problem will never be fixed ... it's
probably sad but true that companies won't allow 'security' to be
added, or they will at least charge for it because it's now widely
accepted that 'security' is 'feature' not a requirement. And consumers
will never care; look at health warnings on cigarettes for example (at
least in australia): Smoking causes cancer., yet people still smoke.
It will be exactly the same with software. jmho...

-- Michael




Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-02 Thread ljknews
At 8:05 AM -0400 5/2/05, Kenneth R. van Wyk wrote:

 Yet, despite that pessimistic outlook -- and the survey that
 forked this thread -- I do think that companies are demanding
 more in software security, even though consumers are not.

Companies value time spent on cleanup more than consumers do.
-- 
Larry Kilgallen




Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-01 Thread Crispin Cowan
Greenarrow 1 wrote:
But, the problem I see with this survey is they only polled 1,000 out of 
what over 5 million users in the USofA.
Political pollsters regularly sample 1000 Americans to get a prediction
of 100,000 voters that is accurate to 5% or so. 1000 people should be
sufficient to sample software users, unless there is something else
wrong with the sample or the questions.

  Just randomly suppose they 
accidently picked everyone that
has superb software and hardware on their systems (unlikely but probable). 
  
Just what does unlikely but probable mean?

To suppose this, we have to think there is something wrong with the
sample or the questions. What is it you think is wrong with the sample
or the questions? Or is it just that you find the result to be improbable?

On repairing systems for my customers I say 1 of of 20 are only satisfied 
with their programs so who is right Harris Poll or my customers?
No *there* is a skewed sample; the set of people currently experiencing
a problem so severe that they have to call in a professioal to repair
it. Under just about any circumstance, I would expect this group to be
highly unsatisfied with vendors. It's like taking a survey of auto
quality in the waiting room of a garage.

What really mystifies me is the anlogy to fire insurance. *Everyone*
keeps their fire insurance up to date, it costs money, and it protects
against a very rare event that most fire insurance customers have never
experienced. What is it that makes consumers exercise prudent good sense
for fire insurance, but not in selecting software?

The only factor I can think of is that mortgage carriers insist that
their customers maintain fire insurance. No fire insurance, no loan, and
most people cannot afford to pay cash for their home. So to impose a
prudence requirement on software consumers, perhaps some outside force
has to impose a pay to play requirement on them. Who could that be?

IPSs, perhaps? Similar to mortgage companys, ISPs pay a lot of the cost
of consumer software insecurity: vulnerable software leads to virus
epidemics, and to botnets of spam relays. Perhaps if ISPs recognized the
cost of consumer insecurity on their operations, they might start
imposing minimum standards on consumer connections, and cutting them off
if they fall below that standard. Larry Seltzer has advocated a form of
this, that ISPs should block port 25 for consumer broadband in most
cases http://www.eweek.com/article2/0,1759,1784276,00.asp There are
several other actions that ISPs could take:

* egress filtering on all outbound connections to block source IP
  spoofing
* deploy NIPS on outbound traffic and disconnect customers who are
  emitting attacks
* require customers to have some kind of personal firewall or host
  intrusion prevention

The catch: the above moves are all costly and, to some degree,
anti-competitive, in that they make the consumer's Internet connection
less convenient. So to be successful, ISPs would have to position these
moves as a security enhancement for the consumer, which AOL is doing
with bundled antivirus service as advertised on TV. ISPs could also
position a non-restricted account as an expert account and charge
extra for it.

Crispin
-- 
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix  http://immunix.com




RE: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-01 Thread Arian J. Evans

 -Original Message-
 From: [EMAIL PROTECTED] 
 Sent: Friday, April 29, 2005 2:32 PM
 To: SC-L
 Subject: [SC-L] Why Software Will Continue to Be Vulnerable

 This makes it highly unlikely that software companies are 
 about to start dumping large quantities of $$ into improving software quality.
 

That's interesting. And yet it's even worse than that. Software security
for the most part is not yet a *business* problem. Most businesses
(at least, that I deal with) still see software security as a feature problem
(ie.-we'll add it in version 1.1), an operational problem (e.g.-network 
security),
or a process problem (e.g.--log review or some such nonsense that they
don't likely do anyway). Even worse, security folks that don't understand
the problem make the issue political as they try advance their careers by
solving the problem with lots of security appliance widgets and scanners
and such (which they don't understand either).

So you have (1) lack of public perception that there is an issue, (2) lack
of business perception that it's their issue, and (3) Information Security
Managers/CISOs trying to solve a business problem with more technology.

But all is not lost. There are still drivers:

1. Regulations. SB 1386 is starting to make a large impact in
business perceptions.

2. Standards  Certifications: albeit there is really an utter lack
of Standards/Certs for software security, business are starting
to look for these; several I'm dealing with are looking for these
as selling features.

e.g.--Our widget is more security that Competitor Y's widget
because it is certified secure software.

3. Real world compromises. Take something as simple as XSS. How
do you take is seriously when NO ONE is exploiting it? (I know of only
a small handful of cases between 2000 to 2003.) But that all changed
in 2004, particularly December 2004 when there were a string of
advanced XSS attacks against financial institutions.

(While there are some cool examples from 2004 that I use a lot in
presentations none I repeat none have any meaningful loss numbers
associated with them that I am aware of.)


-ae


Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-01 Thread Dave Aronson
Crispin Cowan [EMAIL PROTECTED] wrote:

  ISPs could also position a non-restricted account as an expert
  account and charge extra for it.

That already happens in many cases, except they call it a business 
class account.  The only one I've heard called some kind of expert 
account is that Speakeasy has packages with different sets of extras for 
the same price, such as SysAdmin (access to their rpmfind mirror), Gamer 
(access to gaming servers), and one I forget the name of (access to 
music servers).  All of the above allow you to run your own swervers.

-Dave




Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-01 Thread Jeff Williams
What really mystifies me is the anlogy to fire insurance. *Everyone*
keeps their fire insurance up to date, it costs money, and it protects
against a very rare event that most fire insurance customers have never
experienced. What is it that makes consumers exercise prudent good
sense for fire insurance, but not in selecting software?
Fire safety is physical, not tremendously complicated, and we have tons of 
actuarial data. Software security, on the other hand, is extremely difficult 
for anyone to measure -- it takes a lot of effort, even with the most 
advanced tools and knowledge.

So there's no way for anyone to tell which software is secure.  Many vendors 
make dramatically inflated claims about their product's security features 
and rarely get called on them.  For example, there are dozens of vendors 
claiming that their technology solves the OWASP Top Ten -- which is 
ridiculous.

Anyway, it's not surprising to me that consumers aren't seeking out 
security.  Or that vendors aren't providing it for that matter.  In my 
opinion, the market is broken because of asymmetric information, and it will 
never work until we find ways to make security more visible to everyone.

I did a talk on this at the NSA High Confidence Software and Solutions 
conference a few weeks back.  The slides are here 
http://www.aspectsecurity.com/documents/Aspect_HCSS_Brief.ppt.

--Jeff
Jeff Williams
Aspect Security, Inc.
www.aspectsecurity.com