I want to let you in on a little secret. Nobody in the security profession, especially those of us in the software security profession, truly knows what we are doing. You’d never know it talking to security vendors. If you attend a security conference you can walk the booths and talk to hundreds of security professionals selling solutions that cost tens or hundreds of thousands of dollars, each promising that they will solve your security problems with their technology platform, their professional services, and most importantly with their new deep learning, AI algorithms.
Here’s the crux though - we’ve been working on the software security problem for five decades and we still don’t have a solution. In fact the problem is getting worse. Much worse. The attack surface is rapidly expanding. The pool of interested, talented attackers continues to grow. The number of breaches trends ever upwards. The amount of damage done is higher every year. Does that sound like a success story to you?
I looked at the Top 25 Most Dangerous Software Vulnerabilities according to CWE , and the number one item on the list is the buffer overflow (and underflow). This is a vulnerability that was documented and well understood in 1972 ! This is the exact same class of vulnerability that I cut my teeth on in the first year of my career as a security professional way back in 1997 (which now seems like the Stone Age).
How is it possible that this extraordinarily well understood problem, with a wide variety of proven mitigation techniques, can still be the number one most dangerous vulnerability in 2019? Is it because the security profession has lost its way? If we know the ins and outs of a vulnerability for 50 years and the development teams we are working with are still releasing that vulnerability in production software today, what does that say about our approach?
The security industry has no idea how to solve the problem before us and so we keep spinning up more and more complicated technologies, knowing full well that each of them, while they do something, do not come even close to doing enough.
Is it good enough to solve a problem if you haven’t actually solved the problem? Do you get a gold star for selling a solution that makes your customers security posture marginally better, while injecting additional time, cost, and other risks into their process? We tell ourselves if we can make the system just a little bit more secure, we are doing our job. But guess what, it only takes one vulnerability/misconfiguration/confused-human to make the entire house of cards fall down and then we aren’t the ones left to pick up the pieces. Ask any representative from any security company if they can actually make your enterprise secure, then stand by to witness the hemming and hawing.
Most customers I talk to care about security. They really do. But they have no idea how to get their arms around the problem, given the resources and knowledge they have in place. It’s my job to help them become better. I don’t like to tell them that security is like a bottomless pit of need. Solving the problem is exponential - the better you get, the more expensive it becomes. I do the best I can. But when I’m done, they are still vulnerable. I know that, because it’s impossible not to be. Nobody knows how to build unhackable software once its been connected to the Internet. What we know how to do is create software that is probably hard enough to hack that hopefully the attacker will get bored and go somewhere else instead. Is that good enough? Is it good enough to be slightly more secure than your peers and hope that they get hit first?
I live in Montana and around here we like to joke about grizzly bears. I’ll give you a freebie - you don’t need to be faster than the bear, you just need to be faster than the slowest person in your group.
Here’s the software security corollary - you don’t need to be better than the hackers, you just need to be good enough that they move on to an easier target.
Is that the best we can do?
—
This post is the first in a series, where Joe and I will explore the gaps in the software security landscape and search for solutions that might possibly get us to a better place.