January 22, 2007 - Volume 2, #12

Good Morning {!firstname}:
Hi, I'm Mike and I'm an addict. For those of you that have read the Pragmatic CSO introduction or the full Monty, you know that's how every chapter starts. Though I am not addicted to the status quo of battling security and buying security products (like you probably are), I am addicted to live comedy. The boss and I went to see Roz (from Last Comic Standing) and she put on one of the best comedy shows I've ever seen, including eviscerating a drunk girl in the front. Though I doubt this addiction will require a 12-step program or an intervention. Laughter is a wonderful diversion from our daily grind.

Let's focus on application security today, since it remains one of the biggest problems we security folk face. I just love when mainstream tech media make pronouncements that are so obvious, yet so ridiculous (here). It's not like we security folks don't know how to fix the secure applications conundrum, but doing it is totally another ballgame. But whatever, as long as security remains part of the discussion, that's a good thing. I also highlight the grand entrance of Veracode onto the scene (here). Driven by some smart dudes, but with a different business model - basically not teaching the man to fish, but fishing for them. With the fish being application security errors. It'll be interesting to see if they can gain any traction.

Continuing our application security focus in blog-land, Jeremiah makes the point about the hazards of chasing the low hanging fruit (here). Though usually a good approach, given that eliminating the last 10% of issues tends to cost 4 times as much, when you are talking about critical business systems (read the P-CSO if you aren't clear about what those are) no stone can be left unturned. And Schneier brings up the old liability card (here) as well. He's written about this before, but until there is some kind of legal precedent establishing the liability of the software maker, forget it. No one is going to volunteer to accept liability, given the litigious nature of the tort vultures here in the US.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

If it was easy, everyone would be doing it
So what?- So evidently the answer to building secure code is to buy a source code analyzer and be on your way. That's why it's very dangerous for big tech media (meaning they don't specialize in security) to go to security meetings (or worse get a bunch of "advisors" together to wax poetic about how easy the problem is to solve) and then document their findings. They don't have the context they need to present a balanced position. First, developer security awareness (like how developers should build secure code) is even harder than end user security awareness for the great unwashed. A lot harder and lord knows we've all failed miserably at end user awareness training. Developers are under the gun, adding anything to their plate goes over like a lead balloon. The answer is not to "stop repeating the same mistakes," it's to get a MANDATE from the CEO that forces a new security-oriented development process, which will entail delays and other issues - especially at first.
http://blogs.zdnet.com/BTL/?p=4280
Link to this

Big G jumps on secure app bandwagon
So what? - The only thing I didn't see in this coverage of a Gartner report on the rise of application security source code scanners is the probability. Is it a .9 probability that 50% of enterprises will use "some amount" of app security scanning by 2010? Or maybe .7 probability? If it's less than that, they don't print it. Or has Gartner moved away from probabilities altogether? Regardless of the number, it's bigger than a bread basket and application security is the next frontier for us security folk to address. It won't be easy and there is no tool that just solves the problem, but what we are doing now is not working. So it's high time we started thinking differently and software vendors can drive that train by getting their act together first. As I said above, this will require a mandate from the CEO to make it happen, but sooner or later they'll figure out how much it really costs them to ship crappy code.
http://www.darkreading.com/document.asp?doc_id=114615
Link to this

So that's what Veracode is doing...
So what? - Looks like Veracode is taking off the wrapping paper and will announce at RSA next month. It's a pretty high profile start-up because they've got a bunch of big-brained security guys (mostly from @stake) that have a good track record. The idea seems to be code reviews as a SaaS. Well not really SaaS, but done via a portal. It's an interesting model, but as this article points out - a lot of folks may be unwilling to upload their source code to a web portal. But is there really much difference between that and sending it to some freelancer that is basically doing the same thing? What hasn't been announced is the pricing. That will make or break this service. And the general idea of leverage - can they scale this up, given the need for human intervention for each review? But to find that out would mean they've done something right.
http://www.networkworld.com/news/2007/010907-veracode-security-evaluations.html
Link to this

Isn't SONAR supposed to be early?
So what? - In the category of what took them so long, Symantec is finally integrating some behavioral based technologies into their desktop suite. Called SONAR (fancy name), this new stuff is based on some technology they bought back in 2005 for a song and a dance from WholeSecurity. But this underscores the problems with the big AV suites. It takes them two years to work a new technology through the product cycle. That's not fast enough sports fans. Behavioral-based protection has been around for a long time, it's ridiculous that the market "leader" is just getting around to integrating it now. I guess that means we'll see application control in the Norton line sometime around 2009. Just in time.
http://news.yahoo.com/s/infoworld/20070117/tc_infoworld/85188_1
Link to this

Top Blog Postings

Picking the low hanging fruit
Given that I'm not the tallest guy out there, I always appreciated low hanging fruit. It's easy to pick and tastes just as good. But if the top of your tree is set ablaze, guess what? Yep, the entire tree goes up in flames. The real question is whether you are protecting the right tree. So I agree with Jeremiah Grossman here, in that the sophistication of the tools today mean the bad guys can find the high fruit pretty quickly, if they are determined. So you need to do better than that. But reality dictates that you can't fully protect every application, so you need to choose wisely. How do you do that? Actually you don't, your business users do. Read the P-CSO if you don't get that. It could save your career in security.
http://jeremiahgrossman.blogspot.com/2007/01/dr.html
Link to this

Sure, I'll take 3 liabilities to go
Schneier is right, but pissing up a tree. It is ridiculous that software vendors have no culpability when it's obviously a hole in their code that results in a major privacy breach. But no one (to date) has had the stones to sue the software maker. Why? Because it's hard to prove and a jury may not be able to figure out out, even if they find the smoking gun. But that will be changing. Software as a service pretty much changes everything. Now the enterprise needs to integrate stuff from multiple players, and it's in that integration that the typical software company can hide. But when the SaaS vendor provides everything? You got it, it's their problem. They can't blame the other guy because they ARE the other guy. So it'll be interesting when Salesforce.com gets nailed (and eventually they will) and the vultures circle because they'll have no one else to blame.
http://www.schneier.com/blog/archives/2007/01/information_sec_1.html
Link to this

Quantifying ROI for PCI
Whoever invented ROI should be beaten with a stick. Actually, it's an important concept for business management, but for security - it doesn't work so well. So I read with interest, this piece on ROI for PCI compliance. But it leaves me wanting. Wanting what? Basically, I want the discussion to just go away. The major benefit of compliance is in not getting hacked? That's ridiculous. The benefit of compliance is in making your auditors go away and ensuring you won't end up like our friends at TJX, all over the front page with your dirty laundry bared for all to see. It's not about offsetting fines, it's about protecting the contract you have with your customer to protect their data. Strong security will give you compliance. If you just try to buy compliance, you will end up with nothing but a big crisis communications bill.
http://datasecurity.wordpress.com/2007/01/22/roi-of-pci-compliance/
Link to this

A different set of 4 questions
Thankfully I had a younger brother, who would usually get nailed having to do the 4 questions at our annual Passover Seder. But Ross Brown has a different set of 4 questions that you should ask either yourself or your customers to begin the dialog on how the environment is secured. Of course, they are open ended, but a good conversation starter. The most critical one is #4, which is how do you know? That's the key issue and unless you have a good answer - it's a bad answer. You can pen test, you can benchmark, or do lots of other things. But you better be able to prove your defenses to someone else, or the bad guys will prove they don't work too well.
http://technobabylon.typepad.com/tb/2007/01/4_questions_to_.html
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite