A story on Wired claims that finding holes in software is a waste of time since as far as we can tell most vulnerabilities are rarely exploited.
As I wrote in the paper The Injustice of Insecure Software, the penetrate and patch mentality of the software industry is inherently flawed. It does not work today and can not scale to meet the demands of software that plays an ever increasing role in the safety and health of daily lives.
The audacity of the current system is not that the majority of vulnerabilities do not turn into flaming exploits like Code Red and Nimda, but that most software vendors do not examine the unintended functionality of the software they write. Quality assurance groups are so focused on making sure software does what it is supposed to do that they rarely spend time examining unintended functionality.
As software becomes an integral part of the way things work in both the virtual and physical world, software customers can not continue to accept software riddled with security vulnerabilities. Just as a development team designs for performance, reliability, ease of use, and quality they must also design for security. By designing for security you get the value of quality and the ability to sell to the likes of GE and Sprint. You also get to avoid the costly and negative investment in patching the holes your customers find in your software.
For a view into some of the latest vulnerabilities that influence our life in the physical world, check out this article on traffic control software in the latest issue of Phrack.
The New York Times today has an article describing the challenge of identifying names within a large database. In this case, the database is of known terrorists and the article does little to convince anyone that security agencies will be able to screen for terrorists based on names. This software has a long way to go before it can be used confidently to identify individuals in a multi-cultural society.
If you monitor a huge ecosystem over time, I believe your ability to identify anomalous behavior in real time decreases as the size of the ecosystem grows - especially if you can store more data than you can process. The data that you can not process, you can not monitor. Correct? Someone tell me if I'm nuts.
The NY Times reported today that the Bush administration wants to monitor the Internet. Perhaps they should just go buy Counterpane and then force every major service provider to provide hooks into Counterpane's monitoring devices - or perhaps provide some sort of standard data feed to Counterpane.
Aside from all the privacy noise on this one - I expect we will need to see some serious research into detecting anomalous behavior. Stay tuned, this one might get interesting.
Sprint is demanding secure software. I believe this will help them increase the reliability of their services. Security in the telecom industry used to be focused on fraud - preventing people from obtaining free telco services.
With packet-based networks, the telco threat model has shifted dramatically. Security is now a quality of service issue. Data communications hardware has long had to meet stringent reliability requirements. Security standards will augment those requirements.
I am currently aware of two major corporations with security requirements for software procurement: Sprint and General Electric. If you know of others, please comment.
As a side note - check out how dumb AT&T and Qwest sound in the article for not requiring vendors to deliever secure software.
The last two entries of Glenn Fleishman's Wi-Fi News are worth reading. He provides links two every major Wi-Fi news story of the last year. Also included are links to today's New York Times Wi-Fi spread.
Microsoft has know this for years, but others are starting to a clue into the value of digital identity. Carol Cove Benson has recently done a good job of describing this dynamic in this article on the marketing value of digital identity.
To be fair, this is where the PKI craze of the late '90s was attempting to demonstrate value. Web services, PKI, and the ability to derive business value from digital identity (apart from reducing fraud) may finally result in good solid authentication on the Internet. Too bad the Liberty Alliance may not pull it off.
As a side note, I predicted in 199 that PKI technology would find it's first large deployments embedded deep inside other applications. The suits simply could not figure out a way to make PKI deliver the business value that Carol describes. Web services apps, SAML, the Liberty Alliance, and a few marketing types that actually have a budget, might be able to get somewhere.
Also: You have to love Carol's rant against the word federate (and its derivatives)
Here is Webster's definition of federate (Normal people are supposed to know what this means? Webster's can barely figure it out.)
Main Entry: 1fed·er·ate
Etymology: Latin foederatus, from foeder-, foedus
: united in an alliance or federation : FEDERATED
Main Entry: 2 fed·er·ate
Function: transitive verb
Inflected Form(s): -at·ed; -at·ing
: to join in a federation
1 : something formed by federation: as a : a federal government b : a union of organizations
2 : the act of federating; especially : the forming of a federal union
I just came across an article by Gene Spafford on open vs. closed source security. His answer comes down to "it depends." If security is not a core component of the design goal - the end result is an insecure product.
Question: If you know enough about digital security issues and data communications hardware to be dangerous, how do you apply that expertise?
Answer: Get a job as an analyst at IDC covering Wireless LAN technologies.
Very exciting - I started yesterday. I'm looking forward to learning a new market, reconnecting with all my IDC friends, and of course helping execs and product managers navigate the marketplace.
Also: The opinions expressed here represent my own and not those of my employer.