Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Security Industry Is Failing Miserably At Fixing Underlying Dangers

Soulskill posted about 3 months ago | from the closing-the-barn-door dept.

Security 205

cgriffin21 writes: The security industry is adding layers of defensive technologies to protect systems rather than addressing the most substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday. Eugene Spafford, a noted computer security expert and professor of computer science at Purdue University, said software makers continue to churn out products riddled with vulnerabilities, creating an incessant patching cycle for IT administrators that siphons resources from more critical areas.

cancel ×

205 comments

Sorry! There are no comments related to the filter you selected.

In other news, water is wet. (1)

Anonymous Coward | about 3 months ago | (#47318311)

Nothing to see here, move along.

Re:In other news, water is wet. (2, Interesting)

Penguinisto (415985) | about 3 months ago | (#47318973)

Well what else is there to do? The Security guys have to deal with a plethora of headaches, including demanding (but clueless) PHBs, commercial software houses whose idea of secure code is to patch it only after holes are found/exploited, and the need to make these things usable.

I mean, seriously - you can make something uber-secure, but you still gotta use the thing.

Besides, the most substantial underlying problem isn't the software, but the idiot behind the keyboard, and there's no fixing that.

Mind you, I agree that software should be vetted for security flaws and issues. I detest asshat software houses who have the motto of 'Release Date Uber Alles'. I also agree that aggressive release schedules and the too-often-piss-poor implementation of Agile bears a very substantial chunk of the blame.

BUT - the days of glaringly obvious vulns are so rare now that they're pretty much nonexistent these days (with but a very small handful of exceptions.) There's also the problem that one can write the most secure software practical, but then $OS_Maker decides to patch/change something (esp. in memory-handling), which in turn opens a hole in your product that you could have never anticipated.

I think TFA did two things wrong - one, he focused on one thing when security requires focusing on multiple things he gave nary a mention to (including that big fat variable also known as the user), and two, I do think that while yeah it's fun to poke at developers and blame them for stuff, asking for them to be psychic is a bit of a stretch. I say this because most software houses are honest about how they write code, and they do at least a modicum of diligence in that direction... yet they get raked over the coals when some ungodly complex vuln pops up that no human being could have anticipated (but at least one human being managed to stumble across.)

What's the solution? (2)

jandrese (485) | about 3 months ago | (#47318319)

It seems like his solution is: Simply don't release code that has bugs in it. Which is kind of like saying that the airline industry would be so much more efficient if we could just get rid of wind resistance.

Re:What's the solution? (2)

Lazere (2809091) | about 3 months ago | (#47318371)

Well, it would.

Re:What's the solution? (1)

NotDrWho (3543773) | about 3 months ago | (#47318385)

I think the airline industry should concentrate on avoiding airline crashes.

Re:What's the solution? (2)

GameboyRMH (1153867) | about 3 months ago | (#47318395)

More like saying the the airline industry would be much more efficient without human error...in fact it's pretty much the same thing. Wouldn't it work better if planes didn't need safety equipment or redundant safety checks, and all the passengers and crew moved with perfect timing like they were in some kind of dance routine?

Human error will always exist. Deal with it.

Re:What's the solution? (4, Insightful)

preaction (1526109) | about 3 months ago | (#47318789)

I'd say the aerospace industry is dealing with it a lot better than the software industry. Perhaps we should get held up to the same standards, maybe then we could earn the title of "(Software) Engineer".

Re:What's the solution? (2)

Penguinisto (415985) | about 3 months ago | (#47319001)

I'd say the aerospace industry is dealing with it a lot better than the software industry.

This is somewhat because the airline industry has been around for far longer, but mostly because their screw-ups usually generate large numbers of dead people.

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47319077)

Sure. We'll just require our users to get a license before being permitted to use our product in a live setting, with requirements including a minimum of 250 hours using the software in staging conditions, and oral, written and practical exams. Or maybe we could go with the airline passenger model, and "only" require them to follow our every instruction under penalty of federal law and incarceration.

Re:What's the solution? (1)

aynoknman (1071612) | about 3 months ago | (#47319797)

I'd say the aerospace industry is dealing with it a lot better than the software industry. Perhaps we should get held up to the same standards, maybe then we could earn the title of "(Software) Engineer".

The problem is that there are subsystems on a aircraft can be transparently seen to be critical or non-critical. A loose latch on door to the garbage bin in the galley is not likely to take the entire plane down.

The same can't be said of a computer system. Any program that breaks security breaks it for the entire system.

Less new code, more refinement (1)

TiggertheMad (556308) | about 3 months ago | (#47318925)

Human error may always exist, but I think the point is that people aren't learning from their errors. With software, you can find a problem, fix it, and then iterate until all the problems that can be encountered are handled. if you build in robust modules there is a point where you start to see less and less errors being introduced into the code. That isn't currently happening. If we really want to, we can build truly bullet proof code modules but it would take a substantial change in the way things are done.

Suggesting that human error will always exist that therefore there isn't any point in trying to reduce or remove it is lazy and stupid.

Re:What's the solution? (4, Informative)

jellomizer (103300) | about 3 months ago | (#47318399)

Well companies can do much more to improve on that front though.
1. Architect the product, not just build it. All too often the focus is on meeting business objectives and security is added later. An product that was well thought-out and designed handles security as part of the core design as well as the business objectives.

2. No Back door, design the program so the programmers can't get in without having rights to do so. The password DB should be only managed by the computer and humans shouldn't be able to figure it out.

3. Infrastructure planning. The Website shouldn't also be the Database server. The Database should only allow access from select sources, and give permissions that are appropriate to the user.

4. Plan for failure. Figure if someone breaks into the system find way to minimize the impact. Make sure the Salt for your hashes are hard to find, etc...

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47318457)

Old development axiom:

Cheap. Fast. Good.
You can only ever pick two at a time. Often Cheap and Fast are the choices to get the product out the door.

Re:What's the solution? (2)

Bengie (1121981) | about 3 months ago | (#47319677)

So far my only experience as to why stuff takes so long to program is because there was so little architecting from the get-go. Too many engineers have access to tools that can get the job done, but don't realize how they work. All the nuances that make certain tools different creates huge differences in performance and security when the tools are mixed together.

From my perspective "Cheap. Fast. Good." all go together. The quickest projects to complete are well designed. Maybe I consider it cheap because I don't pay my own salary.

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47319553)

The password DB should be only managed by the computer and humans shouldn't be able to figure it out. Seriously? So an rogue admin can setup a newuser, or revoke other users or prevent others from lawfully using it, thus rendering the system useless? Sounds good to me, sign me up. Oh, you mean only allow authorized users? Get back to me when you can, a simple solution for a computer to determine what authorized means.

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47318415)

We can't do much about the laws of physics. In programming, there will always be bugs, but not all bugs have to be so severe as to create security vulnerabilities. Just like the airline industry doesn't want mediocre or bad pilots, programming industries don't want (necessarily) mediocre or bad programmers. Unfortunately from what I've seen, the princples of security in programming are not taught in many places and pretty much never at a beginner's level. Thus the average programmer probably doesn't even know the potential for problems, let alone how to avoid them.

Of course good programmers can still trip up, but the comical amount of patches for security flaws doesn't need to be as high as it is.

Re:What's the solution? (1)

bill_mcgonigle (4333) | about 3 months ago | (#47318425)

It seems like his solution is: Simply don't release code that has bugs in it. Which is kind of like saying that the airline industry would be so much more efficient if we could just get rid of wind resistance.

You could posit that but the actual quote is:

Without an investment in computer programming education and a major move by software manufacturers to embed software security concepts early into the development process, the problems will continue to get worse, Spafford said.

which seems fairly reasonable, but he doesn't talk about incentives, just "shoulds", which is silly because incentives are what's needed to get anybody to do anything. The same 'should' has existed for 15 years.

The stupid approach would be to enforce liability and start throwing lawsuits everywhere. The smarter approach would be to have third-party auditors and certification bodies give particular programs a rating based on their code and processes. Mine would be +50 for being open source and -75 for not having any process to deal with security bugs (or whatever). Certain ratings agencies would gain better reputations than others and the industry would improve. I'd expect insurance companies would give discounts on E&O to vendors with good ratings and stick it to those with miserable ratings. That at least is a financial incentive to move in the right direction.

Re:What's the solution? (2)

DarkOx (621550) | about 3 months ago | (#47318769)

Honestly I think the problem is the universities don't actually teach and CS. They don't even teach programing they teach C++, C#, or Java.

We would be better off if students were taught in their professors boutique language that exists nowhere in industry frankly. That would at least move the emphasis toward general theory and patterns. As it stands today most grands spent all their time memorizing whats in the standard library for whatever language they were taught and don't have any clue how to architect software or systems of software.

So the next thing you know unsanitized input is being concatenated onto some string and fed to some cousin of eval() in the language du jour. If we are lucky they read on some security blog they should make sure to check stuff passed to that function but it never occurs to anyone the very fact they need eval() in the first place suggests strongly their approach is bad, and we still have an inject once some hacker figures out they can use parens instead of spaces and bypass the input checking or something.

Re:What's the solution? (1)

tibit (1762298) | about 3 months ago | (#47318823)

CS is a subfield of mathematics. It's useful in software and computer engineering, but it's the engineering field you should be talking about, not a subfield of what is, in essence, an art [worrydream.com] . And yes, I do agree with Lockhart. Wholeheartedly.

Re:What's the solution? (1)

disposable60 (735022) | about 3 months ago | (#47319237)

Oh please! A CS degree is a license to get a coding job and nothing more (any more).
No employer is going to hire a coder who doesn't have at least 2 years in the currently fashionable language in the dominant ecosystem.

The geeks you're talking about are Computer Engineers, but if you're not a top-ranked grad from one of the top-12 schools, you're going to wind up as a codemonkey working for an accountant.

Re:What's the solution? (1)

Curunir_wolf (588405) | about 3 months ago | (#47319603)

The smarter approach would be to have third-party auditors and certification bodies give particular programs a rating based on their code and processes.

Excellent idea. Not sure that the insurance is really needed, the trick is simply to market the certification or auditor groups properly. IT PHBs just love Gartner. They'll quote their releases, follow their reports, and buy everything they say without question. So you need an organization like that on the software or software developer auditor side - Gartner does nothing like that. A similarly positioned organization could easily affect the stock prices or VP funding availability of any software seller, so it would be all the financial incentive those developers need.

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47318441)

Market-tolerance of bugs (including security holes) keeps the costs of development low.

Some security holes are so simple and cheap to fix, and so impactful to users, that failing to fix them should be treated as criminal negligence. Other holes are basically impossible to find before release. And there is a whole spectrum in between, which makes any kind of blanket legal handling for security holes impractical.

Re:What's the solution? (1)

drinkypoo (153816) | about 3 months ago | (#47318561)

Which is kind of like saying that the airline industry would be so much more efficient if we could just get rid of wind resistance.

Because of my contrary nature, I immediately started wondering if that was actually true. As speed increases, I imagine that fighting drag does get to be harder than fighting gravity, but I don't actually know. But a bigger question is, what about falling out of the sky when your propulsion system fails? No parachutes... you need an active recovery system.

I think we'd have stuck with trains and boats...

What would have to happen to physics to eliminate wind resistance?

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47318649)

"As speed increases, I imagine that fighting drag does get to be harder than fighting gravity" Indeed it does. As speed increases, lift per unit wing area rises.

"what about falling out of the sky when your propulsion system fails?" Many a good plane can glide to a landing with no engines running. The space shuttle does it from Mach 26...

Re:What's the solution? (1)

drinkypoo (153816) | about 3 months ago | (#47318765)

"As speed increases, I imagine that fighting drag does get to be harder than fighting gravity" Indeed it does. As speed increases, lift per unit wing area rises.

I'm talking about the drag on the rest of the plane, though, not the part that's generating lift. Obviously you need that for planes to work. That doesn't rule out commercial air travel, though; they could still use rockets. But I would have imagined that you'd have to be going pretty fast to make that cheaper in terms of energy than flight in the really real world, not the postulated one.

"what about falling out of the sky when your propulsion system fails?" Many a good plane can glide to a landing with no engines running. The space shuttle does it from Mach 26...

Yes, but aren't lift and drag two parts of the same phenomenon? It's my understanding (bracing for correction?) that you won't get to glide in this postulated reality. There will be no shuttle gliding to a landing (much like this reality, heh) but you can still land a rocket gracefully.

Re:What's the solution? (1)

Curunir_wolf (588405) | about 3 months ago | (#47319651)

Yes, but aren't lift and drag two parts of the same phenomenon?

In a way, yes. The airplane wing is curved on the top, and flat on the bottom. The wind has to travel farther over the top of the wing than the bottom, meaning there is less air pressure on the top of the wing, more on the bottom, and that's what generates lift.

Re:What's the solution? (1)

drinkypoo (153816) | about 3 months ago | (#47319833)

In a way, yes. The airplane wing is curved on the top, and flat on the bottom. The wind has to travel farther over the top of the wing than the bottom, meaning there is less air pressure on the top of the wing, more on the bottom, and that's what generates lift.

Well, ISTR there's still some debate about that being the whole reason, but both postulated effects (I thought the current theory was that both were real?) depend on wind resistance. Besides, you can achieve flight without airfoils.

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47318619)

It seems like his solution is: Simply don't release code that has bugs in it. Which is kind of like saying that the airline industry would be so much more efficient if we could just get rid of wind resistance.

Make writing code just like building bridges.

You have to know what the hell you're doing.

Of course, the majority of coders would lose their jobs.

Re:What's the solution? (1)

jandrese (485) | about 3 months ago | (#47319115)

And there would be no software, expect for the stupidly expensive stuff that does very little.

Re:What's the solution? (0)

Anonymous Coward | about 3 months ago | (#47319045)

That would be great, if you understood where software bugs came from. A software bug is simply an oversight, and even the most experienced programmer will run into them. There are techniques to reduce them but they are not as simple to find as one might think. This is because you don't just need to find all the bugs in your software but you need to find the bugs in any dependencies your software has.

An example of this was a bug I ran into with java. I was supposed to enter a phone number using a java generated interface. I made the assumption that the 4th character would be a '-' and there would be a 3 digit number prefix, and a 4 digit suffix that was also a number. It worked great for 7 digit phone numbers. What I did not expect was that java has it's own system for handling negative numbers. This meant that strings such as "-xx--xxx" were considered valid. If this were passed to some other libraries then it had the potential to crash the whole system.

What this illustrates is that programmers need to not only know exactly what their code is doing but what all code their code is connected to is doing. This problem is compounded by poor documentation, the unwillingness of companies to release their source code, inexperience, laziness, and rushed deadlines. The simple fact is that all code can be assumed to have bugs in it, if we were only allowed to release bug free code then you would have no software at all. What developers do is we release software that we consider "good enough" then hope that we can fix any bugs as they are found. This is the best anyone can hope for at this time.

How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47318321)

Anybody may write programs, and it looks like there's hardly a nitwit who doesn't. I've said it before, I'll say it again: The stream of crap won't cede unless the software industry is made liable for software defects.

Re:How is that the security industry's fault? (1)

ColdWetDog (752185) | about 3 months ago | (#47318339)

Anybody may write programs, and it looks like there's hardly a nitwit who doesn't. I've said it before, I'll say it again: The stream of crap won't cede unless the software industry is made liable for software defects.

The ONLY winners in that scenario would be the lawyers.

Re:How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47318367)

Engineers and their products are held to higher standards, why can't software engineers and their products?

Why can't I get a security update for a critical OS flaw in a phone that is still under warranty, but when that same phone has a physical defect, I can return it or have it repaired?

Re:How is that the security industry's fault? (4, Insightful)

gbjbaanb (229885) | about 3 months ago | (#47318541)

its a n underrated point - why don't software engineers have to make products as reliable and good as more expensive engineering projects... and I think the clue in is that question.

Why can't a software engineer make something that is as reliable as a bridge? Because a bridge costs a flipping fortune and can't really be reworked after implementation, so there's a huge incentive to get the entire team together to get it right. And that means the people who really make the bridge are the architects and project managers. In software terms, we have few architects and they're usually crap ex-developers who think they know it all, and project managers who are incompetents who think it was a job they can hide their lack of skill in. Meanwhile you have a load of developers who think they are the only ones who can do the job.

A really good software project would require a technical architect who really understood what was happening and how things worked, and a project manager who understood timescales based on experience and managing the project deliveries and organisation.

It would also require a project based on old technologies - no-one really has time to get to grips with something like 'real' engineers have to do because the platform they stand on gets whipped out from under them all the damn time - which is also a problem as the idiots who don't know a thing use this as an excuse to hide their lack of talent too (how many times have you heard that someone wants to rewrite in cool new technology almost for the sake of it - you can guarantee its because they can't hack doing the boring work maintaining or improving the old stuff, a lack of skill they'd still have if they did get to rewrite - no rewrite ever is any good, its almost always an even worse PoS).

So all in all, there's a huge lack of professionalism in software caused by a lot of factors but I think the biggest one is the real lack of earned experience. We don't allow the good stuff to be built upon, we throw it away and start again with something else. We throw the good staff away and say they're not keeping up with technology. We hire kids because they have some buzzword on their CV.

Anyway, we don't hold software engineers to the same high standards because we refuse to accept old, working stuff. We only want cheap new shiny crap. Its no wonder the software world has turned out like it has.

Re:How is that the security industry's fault? (1)

Bing Tsher E (943915) | about 3 months ago | (#47318621)

I used to think that Open Source development methods would lead to convergence. Software could only get better, as people maintained it and continued to make it better.

Unfortunately, there is always the ego factor. People want THEIR stuff in there and that older idiot's code needs to be snipped out and replaced. Far be it for anybody to learn to communicate through their code and build something coherent for other people to build on. It happens, and some of the 'leading' projects have grown better through an evolutionary process. But it's the exception.

Re:How is that the security industry's fault? (2)

roman_mir (125474) | about 3 months ago | (#47318859)

I have a group of people working for me that had no experience before this job, this is how I selected them, found people that were only starting up. I train them, I architect the system and decide who does what based on their abilities (quality, speed, understanding, interests). Works ok as long as I can keep track of everything myself and each one what to do. I have set up very strict rules on how they code, what they are allowed to do and what they are not allowed, we use in house produced code generators as well, this way there is some standard and uniformity. We are still using plenty of older frameworks and tech, but some is very new (where it makes it cheaper for us to work).

So we are on JDK 7, Tomcat 7, Struts 1.2 (with some modifications I built into it myself to provide some missing features), Eclipse, ant, but also we are on the latest PostgreSQL, mercurial, OpenBSD 5.5, OpenSMPTD, nginx 1.4.7, jquery, kineticjs, flot, HTML5, a custom flash component. Nothing happens here because "it is cool", only because it works and it's proven by now. We sanitise inputs and validate them for context, encrypt data that needs to be encrypted, check against a large list of 'bad passwords', prevent mixed content (all HTTPS, all from one domain), etc.

Is this going to be enough? Who knows, but at least we are not allowing anything to be overlooked knowingly.

I find that a group of novices is just fine to work with as long as there is somebody with enough experience to guide them (in this case that somebody being myself) who takes stuff seriously.

Re:How is that the security industry's fault? (1)

digsbo (1292334) | about 3 months ago | (#47319181)

That's how it should work. But it is always up to management at some level to take responsibility to make sure someone competent is holding whoever is below accountable. This does not happen when there is a disconnect between the business team and the software team. And in most companies, there is a disconnect.

Re:How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47320011)

I was trying to figure out why this is -1, but I guess this is your starting score? Damn dude, you must say a lot of anti-groupthink things.

Re:How is that the security industry's fault? (2)

Kevin by the Beach (3600539) | about 3 months ago | (#47318887)

Today during an architectural review.... (Architect) Where is the performance data? (Developer) I planned on doing that during a later sprint. (Architect) Can you guarantee that it will get done? (Developer) We can just roll this to production, it's not used anywhere. (Architect) facepalm, facepalm, facepalm....

Re:How is that the security industry's fault? (1)

gbjbaanb (229885) | about 3 months ago | (#47319005)

reminds me of a previous company.

It had a very well designed 3 tier architecture with a good set of security policies. One of which was that the web servers didn't have any connection tot he database servers, not even cabled.

Then the director of a acquired company was told his PHP website was to be put on the production servers, his attitude was one of "well, we'll put the web site on the webservers and just punch a hole in the firewall to the DB".

When he was told that couldn't physically be done... his attitude was "ok, we'll have to install the PHP website on the application servers then and route web requests to it".

I wasn't impressed.

Re:How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47318941)

I think what your looking for is IBM's mainframe market. A market based on technology that hasn't changed significantly since the 1980's, and is based on early 60's technology.

While I think perfecting a technology stack is a good idea, I do think IBM has gone a little overboard on the extent to which they maintain backwards compatibility. On the other hand some of the hardware its running on seems even buggier than your average windows PC because they sell all of a couple hundred machines before spinning a new hardware platform (looking at some of the disk systems or the HMC).

Re:How is that the security industry's fault? (1)

Anonymous Coward | about 3 months ago | (#47319009)

Why can't a software engineer make something that is as reliable as a bridge? Because a bridge costs a flipping fortune and can't really be reworked after implementation, so there's a huge incentive to get the entire team together to get it right.

It's more than that, many software developers (and their employers!) just don't care.

Yes, it is difficult to develop bug-free software. But it isn't that difficult to write a program that validates its inputs, separates privileges, and crashes reasonably gracefully instead of providing complete pwnership of the system.

Example: adobe flash is a 19 megabyte installer. That is a small program. Flash continues to be one of the leading vectors to compromise a system. There has been a continuous stream of flash exploits ever since flash was released to the public.

Making a secure version of flash wouldn't be that difficult, if adobe cared to do so.

In All Fairness (1)

UrsaMajor987 (3604759) | about 3 months ago | (#47319015)

In all fairness to "software engineers", this discipline is so new it is a joke to call it engineering. Civil engineering is centuries old with more than a few huge heaps of rubble created when they pushed outside of their bounds of knowledge at the time. Lots of exploding steam engines and crashed airplanes before best practices were codified in those disciplines. Real engineers have to pass a professional exam. You could try the same thing for software engineers but the exam would be meaningless almost before anybody could take it. That tells you the discipline is too new to called engineering however comforting the title may be. Give it another 50-100 years until it settles down. Right now, programming is more of a craft than an engineering discipline.

Re:In All Fairness (1)

digsbo (1292334) | about 3 months ago | (#47319209)

If you consider engineering a process rather than results, it's only a joke to call it engineering in 80% of companies. I do engineering every day when I use an existing proven process to get a result, or use known solutions for security features, etc.

It's the people who ignore the known body of work who cause much of the trouble. And they seem to be in the majority. But it doesn't mean there is no software engineering being done.

Re:How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47319129)

Also we have been building bridges for almost as long as we have stood upright. We have had a tiny bit more practice at doing it right and wrong.

Re:How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47319253)

... can't really be reworked after implementation ...

Plus there's moving the scope of software as it's being built and throwing out quality assurance because scope creep used all of the QA budget. An engineer rarely has to test for edge cases which plague software development: How many design documents include finite state tables? With hundreds of global variables in many designs, the resulting FST would be indecipherable. Software design needs a better way of describing side-effects.

... throw the good staff away ...

The son of a lawyer realized that changes in source code could be monetized. Thus 'Outlook' and 'Internet Explorer' became intellectual property rather than part of the pool of common code they evolved from (to the detriment of IE, which had the primary purpose of creating a software monopoly). This simultaneously created the generic software market, the 're-invent the wheel' philosophy and the 'embrace, extend (meaning: make the next version incompatible), extinguish (meaning: use my proprietary software instead)' philosophy.

engineers have the power to say no to boss about (1)

Joe_Dragon (2206452) | about 3 months ago | (#47319671)

engineers have the power to say no to boss about stuff and have licenses on the line.

Re:How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47319793)

The analogy to bridge design fails in two ways. First, in building physical things, gravity and corrosion and etc are your friends--you know you cannot build a bridge that falls down or make it out of steel not meant for the purpose. Software, however, is built in mind-space, just about anything that can be imagined can be put into code (not that it will always work). Physical laws are no constraint in software design, and there don't seem to be any other principles that prevent software crap from being built and sold.

Second, physical things wear out due to use and environment. Lots of too-heavy trucks, rust that is not cleaned out and prevented, etc. Software wears out due to environmental change. Changes in APIs to other libraries or an OS, changes in the libraries themselves that introduce security problems.

Someone here disparaged Professor Spafford's credentials. I suggest you study before you type.

Re:How is that the security industry's fault? (0)

Anonymous Coward | about 3 months ago | (#47318571)

Because you wouldn't be able to pay for the software if it was done that way. It would be prohibitively expensive. It would be secure, but nobody would have it.

Re:How is that the security industry's fault? (1)

GameboyRMH (1153867) | about 3 months ago | (#47318409)

That would end the stream of crap in commercial software. Non-commercial software, on the other hand, would not cease to be produced the very second such a law was made.

Re:How is that the security industry's fault? (1)

Bing Tsher E (943915) | about 3 months ago | (#47318577)

It would cease to be produced the moment the lawyers put the squeeze on the distribution points and organizations hosting the non-commercial software.

Code patches are a feature too (0)

Anonymous Coward | about 3 months ago | (#47318351)

Being able to provide code patches also allows for low cost distribution to consumers for upgraded features for their products (tablets, pcs, etc.). Part of what makes computer technology so powerful is the ability to change rapidly. The cost of this is also in terms of bugs and security vulnerabilities.

One-sentence solution (0)

Anonymous Coward | about 3 months ago | (#47318363)

"Okay, you do it."

We really need to let Darwinian processes cleanse the Earth of the non-technical, non-producing parasites. Armchair commentators first. Managers second. Lawyers third. The list goes on.

TL;DR version (2, Insightful)

Anonymous Coward | about 3 months ago | (#47318377)

"We have no consequences for sloppy design and we don't hold organizations accountable for bad things."

Well obviously, we need Eugene Spafford!! (1)

NotDrWho (3543773) | about 3 months ago | (#47318379)

Clearly Eugene Spafford must be put in charge immediately, since none of the rest of us have figured any of this out!

"an industry luminary" (0, Troll)

Skylinux (942824) | about 3 months ago | (#47318401)

Another "expert" with an opinion but no solid solution.
Sorry but I just ran out of fucks to give.

Re:"an industry luminary" (1)

Jack9 (11421) | about 3 months ago | (#47318647)

> an opinion

An opinion doesn't require a solution, especially since it doesn't provide any facts to characterize.

There's no evidence that the security industry has been failing by adopting tools and methods that quite a few people use. The fact that there are few critical systems (that I use daily) which use username/password as the sole security credentials is a huge win over my experiences in '00. I think the security industry has pushed hard and made a serious dent.

Re:"an industry luminary" (4, Informative)

sconeu (64226) | about 3 months ago | (#47319289)

Uh, Gene *IS* an expert. He was one of the first guys to dissect the Morris worm, for example. He's been around from the beginning.

http://en.wikipedia.org/wiki/Gene_Spafford [wikipedia.org]

Maybe you should go FIND a fuck to give.

Re:"an industry luminary" (1)

stox (131684) | about 3 months ago | (#47320005)

Gene is one of the few people who became a "security expert" not because he called himself one, but everyone else did.

Follow the money (0)

Anonymous Coward | about 3 months ago | (#47318405)

The software companies make money by releasing upgrades with new features. The software users pay for security breaches, why would any rational software business give up the chance to make money in order to save money for someone else?

There's no money in being secure (4, Insightful)

swb (14022) | about 3 months ago | (#47318413)

But there sure is a lot of money in selling threat paranoia.

Plus software vendors are apparently immune from product liability, so they never bear any costs for defects that lead to poor security or for implementing security poorly. If they had liability for this I think you'd see a lot fewer security defects, but probably a lot fewer features as well.

Re:There's no money in being secure (1)

stewsters (1406737) | about 3 months ago | (#47318521)

Also programmers would start getting paid like doctors, so costs would rise. (doctors who's patients were undergoing targeted attacks)

Re:There's no money in being secure (2, Interesting)

Anonymous Coward | about 3 months ago | (#47319303)

Hah. This is too rich. I'm an engineer. An actual engineer in the traditional, licensed variety. I design physical structures that are used by the general population and have to ensure that they are safe for the next 50 to 100 years. Oh, and that they will survive the next 1-in-5000 year earthquake event, etc. I have a whole lot of product liability for what I put out and I can assure you, I do not make the same amount of money as a doctor. Hell, I don't even make the same amount of money as most software developers I know. Sign me up for being a "software engineer" where the worst thing that is going to happen to me is that I will lose my job. Right now, while making less money, the worst thing that can happen to me for the work I put out is having a collapse kill a bunch of people, going to jail, losing my job, and not being able to practice engineering anymore. Care to trade?

-anonymous geotechnical engineer

Re:There's no money in being secure (1)

Anonymous Coward | about 3 months ago | (#47318685)

Just look at Heartbleed - OpenSSL is maintained by only a few programmers, and they aren't paid jack or shit.

This is how much commerce values security planning. None. They like the bulletpoint "Uses OpenSSL!" on their marketing materials, but they have no idea how or if SSL actually works. Buzz and bluster, and no work gets done.

What part of security industry don't you get? (0)

Anonymous Coward | about 3 months ago | (#47318417)

If they actually fixed the problems that caused the vulnerabilities, they'd be out of a job!

If you don't have time to do it right (1)

rmdingler (1955220) | about 3 months ago | (#47318445)

how will you find time to do it twice?

Re:If you don't have time to do it right (1)

Bing Tsher E (943915) | about 3 months ago | (#47318511)

You get paid twice for doing it twice. Duh.

Re:If you don't have time to do it right (0)

Anonymous Coward | about 3 months ago | (#47318655)

Inside joke from a company I used to work for (as a bug fixer):
"You get $5 for every bug you fix, but developers get $10 for every bug they write"
Nothing like perpetuating job security.

Holy buzzwords Batman! (2)

rujasu (3450319) | about 3 months ago | (#47318449)

... substantial, underlying problems that sustain a sprawling cybercrime syndicate, according to an industry luminary who painted a bleak picture of the future of information security at a conference of hundreds of incident responders in Boston Tuesday.

an ounce of prevention is worth a pound of cure. (3, Insightful)

Sleeping Kirby (919817) | about 3 months ago | (#47318463)

I do have a to agree in that the current development style/strategy (agile development) is less geared towards solid development and more on features and getting stuff out there. I think the article is just saying that they should do less of pushing out features and new things and more on good programming/fix known bugs. Of course putting out a bugless program is near impossible, but there's a difference in better prevention versus better clean-up.

Re:an ounce of prevention is worth a pound of cure (0)

Anonymous Coward | about 3 months ago | (#47319165)

Why bill for prevention when you can bill for cure? Nobody, very few ever see a dietician before a Dr. exact same story, much higher consequences. People are reckless and willing to pay for catastrophe than maintenance, business just follows the market - if people pay to eat deep fried snickers bars and don't pay for kale what are you going to do?

LIKE THE DRUG COMPANIES !! (0)

Anonymous Coward | about 3 months ago | (#47318531)

Sell the cure and it is over !! Sell the pill and it goes on FO-EVAH !!

Lack of security conciousness (0)

Anonymous Coward | about 3 months ago | (#47318533)

How is anyone tasked with securing information services supposed to stem the tide when software development cycles lack security awareness?

An average IT guy can't do anything about it but patch and firewall. We, as an industry, have gotten quite good at that. What needs to be done is to enforce penalties when a software development organization does not live up to due care. These lack of bounds check shenanigans should have died decades ago yet they persist for want of an incentive.

As long as Republicans keep pushing Windows... (0)

Anonymous Coward | about 3 months ago | (#47318543)

and forcing us to buy it through their Microsoft tax, we will never get away from this problem. Microsoft intentionally creates horrific software in order to create a market for anti-virus and other worthless products. Also, they know that most people will simply buy another computer when their Windows crap quits, and it always does. The Republicans are happy for the increased consumerism due to the constant trashing of perfectly good equipment. That is their way.

Re:As long as Republicans keep pushing Windows... (2)

Lab Rat Jason (2495638) | about 3 months ago | (#47318663)

Cite your sources.

Re:As long as Republicans keep pushing Windows... (1)

Opportunist (166417) | about 3 months ago | (#47319257)

Even though I give you only a 2 on the Open Troll Scale, you made my head hurt enough that I feel the pressing urge to write a reply.

First of all, MS systems are surprisingly stable and secure. It hurts me to actually admit it (and I still say the main source for the security of Win8 stems from even malware writers not being able to figure the turd out), but MS has come a long way, its system offers a fair amount of stability and security and they are very quickly reacting to discoveries. Some of their "solutions" are ... let's say lacking (like their memory address randomization or the TCP packet number randomization, both sucking in ways that make you wonder... but I ramble), but considering their market share and hence how interesting a target they are, I'd wonder how other systems would be doing.

The main attack vector these days is popular third party software. Flash and Acrobat Reader have been widely used, the same applies to popular browsers. All of them because they enable very simple and efficient online attacks that are hard to avoid by the users (online advertising being one of the big issues here). Another attack vector that has been tried and that I'd dare say will become increasingly important in the future is games. Considering how popular certain games are and how most of them routinely require an online connection, either to communicate with servers or for online activation and DRM, they would make a great attack vehicle: People are used to disabling UAC and antivirus systems for games (because they conflict with DRM), they are used to having to open ports on their routers to make them work and if that makes the game work, they will quickly forget about anything "odd".

That's the whole point ... (0)

Anonymous Coward | about 3 months ago | (#47318569)

The purpose of an industry is to promote the industry and to make money from it (not necessarily in that order). To eliminate itself by fixing errors, or doing anything for the general benefit of the consumer instead of for profit, is counter-productive. What the hell did you expect?!?

There are a few things we can do. (1)

stewsters (1406737) | about 3 months ago | (#47318607)

Underlying dangers: the user?

What we should do is research safe alternatives for languages (http://www.rust-lang.org/), more sandboxing of who can access what (SELinux, AppArmor), and better and simpler libraries (LibreSSL). No plugin Auto-run for untrusted sites.

Antivirus is cool and all, but its not as good as fixing the bugs. Unfortunately it is more profitable.

Impossibru! (1)

Lumpio- (986581) | about 3 months ago | (#47318653)

Anti-virus is not a solution to the real problem!? Whaat? How can this be?

Re:Impossibru! (2)

Opportunist (166417) | about 3 months ago | (#47319173)

Just because this thread needs a car analogy, too: Antivirus is no solution for crappy software any more than safety belts are a solution for faulty brakes.

Stockholders come first, security isn't important. (1)

kbonin (58917) | about 3 months ago | (#47318671)

Working in this industry at several giant companies, the view is simple - the company works for the stockholders, the stockholders demand ever higher returns, and NOTHING the company does is nearly as important as increasing the short term stock price. So what money is spent on R&D will be spent chasing new "shiny" features and the absolute bare minimum level of security and bug fixes required to "continue leveraging the brand". In the mean time, the business will focus on increasing the productivity of its remaining workforce, and continue to look for new ways to innovate through outsourcing, off-shoring, right sizing, acquisitions, virtual workforces, and anything else that looks good on paper for short term gains while not requiring hiring new FTE (Full Time Engineers), at least domestically.

Re:Stockholders come first, security isn't importa (1)

tibit (1762298) | about 3 months ago | (#47318881)

The company doesn't work for the stockholders. The company has a mission, and the stockholders who don't agree with it are simply not your stockholders in the first place. They don't bother. The founders of a company are free to set the mission as they see fit. The mission doesn't have to be 100% profit- or ROI-oriented. It's perfectly possible to have a public corporation that's after greater things than money. Just because for example Microsoft isn't set up this way doesn't mean it's a law of nature. Far from it.

Well yes and no (1)

gelfling (6534) | about 3 months ago | (#47318677)

Yes there are bad products, an increasing quantity of bad products. And an increasing quantity of things to fix more than once. And an increasing number of exposures and so forth.

But, SW has never actually been an engineering discipline. So there's no real way to make things better off the blocks or fix them once they're out. But key problems really have to do with people not things. People are the weak link. And as long as you have to rely on people it will remain the weak link. A better approach would be to take a more holistic approach to allow for vulnerabilities of a given scope and size and build around them as it were. For example if you know that your servers won't get patched very well then fence them off so they can't hurt very much even where they're badly broken. If workstations are infected because people are retards who click on anything, fence them off too so even when they do they can't propagate their own mistakes.

Moreover, you have to understand that not every vulnerability means the same thing. Some things simply won't hurt your company the same way something else will. Heartbleed while a big problem and very pervasive is still only going to point to 64k ram volatile memory blocks. Blow your stuff out before it gets there. Not every unpatched system not every firewall rule will actually hurt your company or conversely its fix help you.

You need to understand that being 98 or 99% healthy is ok too.

Re:Well yes and no (1)

Opportunist (166417) | about 3 months ago | (#47319161)

You have to know WHICH 98% count, too.

To stay in the "health" analogy, me not having malaria medication can be acceptable or not, depending on whether I sit in Alaska or Zaire.

Here's the problem. (5, Insightful)

johnnys (592333) | about 3 months ago | (#47318755)

The "Security Industry" makes money for the shareholders selling "stuff". Any time they see a problem, they will treat it as an opportunity to sell more stuff, since that is how they make money. If the problem is because the customer has already bought too much stuff, they will still try to sell the customer more stuff since THAT IS WHAT THEY DO.

So if you want to be secure, what do you do? We all know: You get rid of crappy software, simplify your systems, remove unnecessary cruft and hire developers, network systems people and architects who can build you what you need securely. You do NOT hire the cheapest meat puppets who can find the company website and spell "javascript" and you don't outsource your security to the lowest bidder.

This requires real effort on the part of the company paying for all this: They need to recognize that the "Security Industry" and their shiny, happy sales droids are just parasites ripping off the public with the "latest and greatest security stuff that will really protect you this time I promise not like all the other times, I really really mean it THIS time!".

They really need to understand that the RIGHT way to GET Security is to design it in, have the right people building and managing it and proper oversight over all of it. To do that you have to treat it as a profession and a core part of what the company does, not as a "service" or "product" that can be "bought in" or "outsourced" to a low bidder.

Security needs to be treated as a profession in any company with a significant cyber presence, just like the accounting them, the legal team and the core business functions. Pretending it's "just something that we can buy from a vendor" is short sighted and ignorant.

Re:Here's the problem. (1)

Opportunist (166417) | about 3 months ago | (#47319117)

The solution: Make laws that get board members at their nuts if they can be made responsible for security breaches and the loss of data.

Fines are a matter of risk management and cost accounting. Jail time is what turns heads.

Different analogy (0)

Anonymous Coward | about 3 months ago | (#47318799)

My friend had a huge fish tank. When it started leaking he put some glue on the seam. Then he tried duct tape, and more duct tape.
When it became a big enough mess, he drained the tank and cleaned it properly.
We are currently in the "add more tape" phase of the problem. It does not help that there are a lot of tape vendors who like selling terrible solutions to the problems.

Re:Different analogy (1)

Opportunist (166417) | about 3 months ago | (#47319071)

The problem is that we see it leak and we still pump more water into the tank instead of finally draining it and buying a new one.

Per Mr. Spafford (0)

Anonymous Coward | about 3 months ago | (#47318825)

Don't bolt on more - Natively, hosts = better than browser addons @ many levels (efficiency + added speed, security, reliability, & anonymity + fix DNS security redirect issues):

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of benefits in link)

Summary:

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity/room 4 breakdown,

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Cash is King (2)

mrflash818 (226638) | about 3 months ago | (#47318843)

Thanks to all of this, and the NSA/GCHQ Orwellian Internet world, I no longer do any commerce online.

Online for me now is chatting, posting, blogging, /., emailing, sharing source code.

I no longer do any purchases, or access any online systems that deal with money (banks, credit unions, etc), via the Internet.
Even in the real world, I try to only get my cash via walk-up to a bank teller. No more ATM use. No more credit card/debit card use, if I can at all help it.

Is trying to do a cash-only lifestyle a total time suck, and inconvenient? Yep.

I am certain I can still be a victim, but I am doing what little I can to not be an easier target.

"Always look on the bright, side of life..." -- Monty Python

The software industry not the security industry (1)

nut (19435) | about 3 months ago | (#47318911)

The title (of both the slashdot post and the original article) is misleading.

The article cites one Eugene Spatford who observes that, "software makers churn out products riddled with vulnerabilities." That's not the security industry's fault.

He goes on to tell us that law enforcement is inadequately equipped and that criminals protect themselves by bribing government officials. That's not the security industry's fault either.

Of the tools the security industry does use regularly he says that, "We’re using all these tools on a regular basis because the underlying software isn’t trustworthy." Again that's not the security industry at fault.

And the solution?

"... an investment in computer programming education and a major move by software manufacturers to embed software security concepts early into the development process."

Sounds reasonable to me. Also sounds like a task for the software development community generally, NOT just those specialising in security.

Nothing new there. (0)

Anonymous Coward | about 3 months ago | (#47319033)

That has been obvious ever since MS DOS.

Solution: Don't buy crap (3, Insightful)

Opportunist (166417) | about 3 months ago | (#47319047)

Sorry, and I know I'll be very unpopular for this, but the blame is on YOU. Yes, YOU. You there who always have to buy the latest and greatest turd that someone puts into a shiny, sleek piece of plastic and calls it the NEW $whatevergadget. As long as you buy buggy, crappy, spyware-attracting, insecure shit just because OHHHH! SHINY! you get what you deserve.

Welcome to capitalism. If I can sell you a piece of turd that stinks, why should I waste money on perfume?

Make the companies pay! (2)

EMG at MU (1194965) | about 3 months ago | (#47319067)

I use to have a retirement account with a certain financial services company. They stored my password in plain text. To recover your password they would physically mail it to you. This kind of stupidity should be illegal. It should be criminal and the company should have to pay fines for being asshats.

Companies don't fix underlying problems because management doesn't see any value in doing so. They also see no risk in having insecure products. Until there are real financial penalties for blatant incompetence regarding security nothing will improve.

Mid level management attitudes are the problem (0)

Anonymous Coward | about 3 months ago | (#47319107)

When I worked for a large defence contractor, as a KM admin and trainer, I found the single greatest risk to the security of the system was the attitudes of middle level managers and project managers who's background was not in IT. They would consistently side with vendors when issues with proposed solutions were raised because I could not sell the idea of the risk to them as well as the vendor could sell the idea of trivialising it.

No one cares... (1)

jasno (124830) | about 3 months ago | (#47319227)

I've got over a decade of working on networked, embedded devices. With the exception of content security, I have never in my recollection been on a project where a significant effort was devoted to the security of the system.

I've worked for a company who made devices which process electronic payments. I asked them about security and whether they ever did an audit. The SW veep's response was "We use SSL."

No one wants to think about it. Security is a hard problem and it blows budgets. Forgetting about security during development rarely(never, really) costs anyone a job.

Marketing and management need to require it before the money generates the will to fix it.

Thieves Are Welcomed (1)

Jim Sadler (3430529) | about 3 months ago | (#47319233)

Up until about 1985 phone sales thieves were more than welcomed to Florida as long as they did not make sales within the state. Local politicians were only concerned with money being brought into town and had no concern about losses by people in other states or nations. Although there was a bit of a crack down it really remains somewhat true today. Cyber crime on an international level may well benefit towns in other nations. After all the thieves buy pizzas at local restaurants and cars at local car lots. Trying to get other nations to spend money stopping cyber theft is not likely to have great success. When we see nations like Russia or China allowing a lot of cyber crime we would either have to put trade sanctions in place or cut their access to the net which would be quite difficult. Organized cyber criminals will simply move to other nations and keep right on doing what they do just as some American phone sales scams are conducted by American sales people working in Burma and other nations. That call that sounds like your neighbor may be quite international these days and it may be your neighbor all those thousands of miles away.

It's a money problem ... (1)

CaptainDork (3678879) | about 3 months ago | (#47319273)

Target customers should have filed a class action lawsuit. The evidence is pretty clear that Target flubbed the dub. Let Target look over its shoulder for responsible parties it can sue for damages. Let those look for scapegoats, as well. The buck stops somewhere. Someone didn't plug holes or a software has an exploit or an operating system is porous. In other cases (see Snowden, see Manning) the problem is non-hardware/software related. The justice department should have filed charges for dereliction. The custodians of the data have got to have an incentive to lock the freaking doors.

Target outsourced all / most / some of there IT (1)

Joe_Dragon (2206452) | about 3 months ago | (#47319699)

Target outsourced all / most / some of there IT

and it seems like at least that some of software alerts may of got lost at help desk India

Well, Duh (0)

Anonymous Coward | about 3 months ago | (#47320049)

I work in network security. We make an IPS. It's a box that sits on the network and blocks attacks. We can't do anything to fix the fundamental issues at Oracle or Microsoft, we can just ameliorate the impact.

So the problem is the software industry in general, not the security industry in specific. Although, as long as CIOs fall for things like NSS's extortion racket, senior management is nowhere near blameless themselves.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>