In an interview published this week, WhiteHat Security founder and CTO Jeremiah Grossman said that ultimately, the problem with security is a lack of decent protection.
Grossman said that information security has to change its thinking as there is a problem in a belief that you can put a box in and the problem goes away, and that is most people’s way of doing things and how they are trained.
He said: “We need software security, not security software. It is two completely different things and a really difficult problem as the world only has 17 million programmers and there is a lot of folk out there, and we have to tackle two problems – how do we write more secure code and validate it, and what do we do with legacy code.”
So is that the solution to attacks and breaches? Could better code and software be the answer? I took the discussion to some key people in the industry to get some thoughts. Tenable’s Jack Daniel said that this was “absolutely true” and pointed at work by his CSO Marcus Ranum, who he said had been saying this forever, and before him others had said that too.
Daniel said: “The fundamental issue is, if you have insecure software, and you are adding additional software to it to secure it – there is a fundamental flaw in that. So that is the purist view, and the rational view is that if I want things to be better tomorrow, and not in ten years time, then the only solution I have got is to add a layer of protection.
“Adding a firewall, and problem in the industry is we are 20 years into saying “we apply this one band aid and fix it later”. Now we have code bases the size of Windows and OS10 that require huge stacks of bandages and never gone back to model of fixing the core code.”
This is a fair point, if there is a flaw in the base of a product then no matter how many patches you apply or layers you add, there is still a flawed base. John Maddison, vice president of marketing at Fortinet, said that there is so much hype going on and users are confused by what is being said, and we need to spend more time on sophistication than hype.
Dr Eric Cole, CEO of Secure Anchor and senior fellow at the SANS Institute, said that he would put Heartbleed and XP into this category too, as most companies come in with the assumption that software is secure, and most people believe that software and applications are locked down and protected.
He said: “People need to come in with the assumption that any software or any OS has vulnerabilities and exposures, and we have to recognise that they exist and approach security from that perspective.
“Look at most organisations, when they roll out new products or new solutions, how much time do they spend on functionality testing, and how much on security testing? Take non security products – Oracle, Java and ask how much time do they spend on functionality versus security, and that is where they spend the most time.
“Think of a firewall or an intrusion detection engine. When they deploy it and test it, they test the positive not the negative, so when a company deploys a new firewall what do they do? They deploy it and make sure things work and if everything works correctly, they declare victory! But they do not check that the things that are not supposed to be working are not working. We are not testing the negative so that they are not stopping and controlling the areas that they should.”
Maybe this comes down
to the resources and finances to do such a level of testing, but could this be dealt with? I spoke with RSA Conference programme committee chairman Hugh Thompson, who is also senior vice president, chief security strategist and chief marketing officer at Blue Coat Systems. I asked him to share his comments on what Grossman said, and he said he agreed generally, but as well as needing secure software, we also need security technologies that make it easy for users to do the right thing.
He said: “Instead of encumbering them and hindering them, we need technology that actually makes it easier for them to do things. That is a really different mindset than security has had for a long time.
“It’s hard to trust things that don’t have security at its core but then at the same time. If we’re not making technology that lets users do what they really want to do, and figure out and innovate ways to make it more secure on the back end, that don’t really bother them, then we’re going to be in real trouble.”
Usability and security do not always go together, but surely for products to be secure they have to be usable or, as Thompson said, we have a problem as they will be bypassed.
The problem is clear then, but the solution is far from clear – the next generation may be able to code better, but will they be able to meet an industry standard that is required for security. Let’s look again in 20 more years.