I was doing a talk for the OWASP meeting in Glasgow the other day, which covered the OWASP Top 10. I had made the point that the Top 10 is largely the same now (in its 2013 iteration) as it was in its original iteration in 2003. Someone asked me a question based on that which (roughly) was “Why isn’t security getting better?”
Good question really and obviously one there’s not a simple answer to. At base I do believe that the state of defensive security is going to get worse before it gets better and it comes down to a number of factors.
I’ve got a list of them below, but ultimately I think it comes down to incentives. Good software security and good enterprise security are difficult and expensive things. If the economic incentives aren’t there people just won’t do it.
Increasing spend/focus on offensive security
Offensive security is becoming a larger and larger industry driven by demand from governments and to a lesser extent corporates for “cyber attack tools”. Essentially to me, this boils down to people finding exploits and creating malware to deliver them. That focus has a couple of effects which are likely to be bad for overall security.
* As these tools are developed they will “escape” into the wild and be re-used by criminal elements.
* Governments have an active incentive not to rush software providers to fix critical issues, as this would destroy some of their expensive cyber weapons.
* More security people spending their time on offence, means there’s likely to be less spending their time on defence.
There’s been so many breaches that they’ve stopped being news. I read a piece recently on Ars Technica where the university that the journalist had attended had a breach and a good number of records were compromised (310,000). When he went to report this his editor essentially said that it wasn’t a big enough story to warrant reporting.
This is an example of breach fatigue, where breaches become so common that they’re not noteworthy any more. The problem is that this removes one plank that security people use to get companies to spend on defensive security, reputational damage. Essentially now, unless your breach is really bad or you handle it really badly, there is no reputational damage from a breach.
Another example of this was linode. They’ve been breached a couple of times and in discussions I see regarding using their service, the security provided does not seem to be a factor.
The cousin of breach fatigue is vulnerability fatigue. These days every large software company has had security issues and has had to fix them. Some companies handle them better than others, but again I don’t see that being a big factor in companies choosing what software to buy…
Many people in the security industry would point to Oracles poor handling of security issues at various points (slow fixing, lack of communication etc) but I don’t see that having hurt their sales figures at all.
And on the flip side you see companies who are generally considered to do security right still have breaches (e.g all the major browsers falling at this years Pwn2Own ).
So there has to be an element of some companies wondering to themselves whether it’s worth the effort to have a truly great software security programme.
No Legal Requirements For Secure Software
Realistically in most jurisdictions, there’s no requirement to produce secure software. There may be regulations relating to it (e.g. PCI) but governments seem to be steering well clear of actually legislating that software companies have any obligations in that regard. Personally I think this is where we’ll end up but it’ll be a hugely uphill struggle as every software company out there will fight this to the end.
FWIW I think that government legislation of this type will be a disaster for the IT industry but if nothing else works, it’s where I think we’ll end up.
Lack of developer training
Ultimately all IT security bugs come down to software or users. We can’t fix human nature, but theoretically we could fix software security bugs. Unfortunately I don’t think this is going well. Most people would agree that producing secure software requires that developers receive good in-depth and repeated training, but where will they get that from?
From universities? Nope – I’d be surprised if more than 10% of programming or computer science degrees have good secure coding modules throughout the degree.
From employers? Nope – A lot of companies have constrained budgets already and the idea of spending good money on proper face to face training for all their developers, isn’t likely to happen especially if they can’t see a direct correlation between that training and their bottom line profits.