Seeking assurance: conference addresses IT's insecurities
ASM’s IT security contributor, James Turner, reports on the highlights of this year’s AusCERT conference.
The comedian Robin Williams had a joke; if you remember the 60s you weren’t really there.
Similarly, if you go to an IT conference and you remember what happened then you clearly weren’t networking enough.
Given that I knew in advance that I would be writing this overview for ASM, I took copious notes.
To give my perspective on the conference I’m only going to touch on some key points which were brought up by various speakers, as I think these capture the core message of the conference.
Software Assurance
Last year, at AusCERT 2007, we had a keynote from Mary Ann Davidson, the Chief Security Officer from Oracle. Her message was for Software Assurance.
Software Assurance (not the Microsoft licensing deal of the same name) is the principle that software vendors should be held accountable for their products; the same as many other manufacturers.
Do you remember the outcry last year when children’s toys manufactured in China had lead in the paint? Mattel recalled them all.
(Have you ever heard of a software vendor recalling a product?)
On Davidson’s blog for the 8th of April 2008 she writes extensively about her efforts to get the universities in the United States to train the computer science undergraduates in secure programming practices – because Oracle had had a gutful of employing graduate programmers who are untrained in this.
The theme of Software Assurance is of particular interest to me because it actually gets to the root of the problem.
The end goal of software assurance is that we get to use software which is inherently secure, instead of getting stuck on the anti-virus, anti-spyware, anti-spam, anti-whatever, black-list, reactive treadmill of patches, updates, service packs and undocumented features.
The cost of insecure software
David Rice, the author of “Geekonomics; the real cost of insecure software” is an excellent speaker and enthused about his topic.
I got to talk to him after his presentation and found out that he’s a technologist originally, but has spent the last few years exploring the impact of economics in the IT security market.
In essence Rice stated that insecure software actually invites attack; when we invite attack, we increase disorder; when we invite attack, we become reactive; when we invite attack, we get into a cycle of spending to protect the status quo rather than innovating and moving forward. It’s expensive to be a target.
Rice also made the very interesting point that because society is full of diverse interests with people looking to maximise their satisfaction, they look for “value” in software.
Value in software is usually interpreted as having more features.
Of course, as vendors try to capture market share by adding more features to the software, they naturally introduce greater complexity.
Then, when the vendors rush the product to market, the product is not fully tested.
Instead of punishing the vendor for shipping half-baked software which the market beta tests, the market perceives the added complexity as “value-add” and “cool” and hey presto: the vendor’s sexy new phone is the flavour of the year.
The defects only become apparent after the product becomes popular.
If no one used the product, no one would care and there would be no impact.
Rice observed that in a market where the sellers know more about the product that the buyers, then price becomes the defining feature.
This creates a dumbing-down of the market as higher quality products are excluded from consideration due to their inherently higher price.
This downward spiral leads to what Rice calls a “Lemon Market” where we have options of cheap trash, or even cheaper trash.
Microsoft’s aspirations
Interestingly, this vision – to provide a trustworthy computing platform – is exactly what Scott Charney (Corporate VP for Microsoft’s Trustworthy Computing initiative) spoke about on the Monday.
Charney discussed the need for software assurance – though he did not use that term – and extended the idea into a trusted stack; of trusted hardware, software, data and people.
Charney’s message was that end-to-end trust needs solutions aligned with “societal values, market forces, (and the) regulatory environment”.
One of Charney’s points was that this ideal has not yet been achieved due to misalignment.
So you can see how Rice’s message of market failure has directly applied to our current situation and ties into what Charney is seeing.
Charney’s aspiration for Microsoft is to deliver software which is secure by: design, default and deployment.
The man from the NSA (and car industry comparisons)
This led quite naturally into Brian Snow’s presentation, titled “We need assurance!”
Snow is a computer scientist who clocked up over 30 years at the National Security Agency.
(For the final debating panel, he introduced himself as a “torturer of engineers” which made me laugh nervously).
Snow asserted that the software industry now is where the automotive industry was in the 1930s.
He spoke about Honda and Toyota’s penetration into the North American markets and how that was based on the overseas car makers picking up on US consumers’ desire for inbuilt safety.
Ralph Nader’s book, “Unsafe at Any Speed; the Designed in Dangers of the American Automobile”, published in 1965 was a turning point for the US car industry.
It was as a result of this book that safety features (ABS brakes, seatbelts, traction control, crumple zones and airbags) have become expected features of cars.
Unlike the current software industry, these safety features are not items that the consumer can buy/lease over and above the costs of the car.
Interestingly, if we look at the car market now it is true that the bottom end of the market is congested with cheap cars.
But there is still a thriving luxury car market.
So why could we be seeing this divergence?
Could it be that some people are prepared to pay the price for safer, better, cars?
Unfortunately the answer is no.
The most expensive cars are not sold on how safe they are, but on the envy that they provoke in others.
Having said that, now we are in an era where the vast majority of mid-range cars are packed with safety features which were unimaginable just a few decades ago.
However, the car industry is only protecting drivers from themselves and others.
The software industry is not only doing that, but also trying to protect us from people who are trying to remotely exploit vulnerabilities in the steering column, the tyres, the fuel tank, and the brakes.
Snow made two further excellent points.
Firstly, that it is reasonable to expect products to behave safely, even if not perfectly, in a hostile environment.
The second was that we must avoid the highly dangerous situation where we assume that we are safe, when in fact we are not.
To address both of these concerns, we are at the mercy of software vendors.
A postulate for data integrity from the Cisco CSO
Another keynote speaker at the conference was John Stewart, the Chief Security Officer for Cisco.
Stewart spoke about the challenges of managing security for Cisco and threw up some postulates for thought.
Among these was the idea that in IT security we have spent most of our time focussed on data confidentiality and availability; and now we need to focus on data integrity.
Stewart said that we need to have a high degree of confidence that what we put there is still there.
This is the heart of software assurance; no surprises, no unexpected features or behaviour, no need for weekly or monthly patch updates.
The idea is that the software we deploy is stable, resilient, self-contained: that the software has integrity, it possesses internal consistency.
The blended threat of humour and intelligence
AusCERT 2008 concluded with one of the most valuable sessions I’ve attended there.
10 of the speakers from the conference had been emailed with several topics prior to the event.
Their strength of opinion was then used to group them into debating teams (three a side).
These teams were given three minutes (one minute per speaker) to present their case.
It was speed debating and after the MC, comedian Adam Spencer, started to get a few laughs the panel loosened up and the humour soared.
There were analogies to Balrogs, jet-packed pigs, a Russian impersonator, and then the pig was tarted up with lipstick.
Having a laugh at the end of a three day conference is good, but having articulate people challenge and change my views is even better.
That’s exactly what some of the panellists did.
The philosophic pill was gilded and the medicine had a spoonful of sugar.
Gilbert, Sullivan and Poppins would all have been proud.
The five debate topics were occasionally quite wordy, but the theme throughout was clear: we desperately need Software Assurance.
We’re trying to fix IT security problems by doing the same things we’ve always done – but just doing them faster, better, cheaper.
But doing these things has got us where we are today; we need a revolution in our way of thinking, planning, deploying, measuring and managing IT.
We’ve become so good at pulling metaphorical bodies out of the river that it’s taken us some time to wonder what’s making the bodies fall in the river in the first place.
Software Assurance will hopefully become the posse which goes upstream and stops the problem at its root.
As Rice said, bad software leads to vulnerabilities, which lead to exploits, which lead to breaches.
So what would be possible if bad software became largely a relic of the past?
Is that goal worth working towards? Most assuredly.
About the author: James Turner is an Advisor with IBRS, an Australian company that provides research and advice to IT and Business Managers in Australasian organisations. James specialises in the IT security industry. www.ibrs.com.au