I've been reflecting on last Friday's excellent Cyber Security KTN workshop on Secure Software Development. This special interest group has been meeting for some time and I'm pleased say there's been a fair bit of progress as the sessions are broader, deeper and the group is better joined up with other standards activities, including ISO and OWASP initiatives.
The workshop included parallel streams addressed business cases, good practices, training, and the systems development lifecycle. That illustrates the large scope of the problem space. It's not just about cutting secure code or developing better testing tools. We need to get things right much earlier in the development process.
It's a strange phenomenon of security that encourages us to address issues from the end point of a process, rather than its starting point. I noticed this when writing the original BS7799 text. The weakest chapter was the one on systems development. It's always been the last place we focus our efforts. In fact our development lifecycles have for decades ignored security. And when we do address this area, we start at the end of the cycle, focusing on operational issues first, then testing and then coding standards, with more emphasis on securing the finished product than educating the designers.
Ideally we should have started at the beginning of the cycle: address the business case for security, then the requirements analysis, then the design principles and then the architecture. These are easier areas to improve, and yet they remain the least developed. We could make a big impact by if we could agree a simple set of design principles (such as always use open, secure protocols) and provide guidance on security architecture.
]]>The incident, in which a Chilean hacker published confidential records on six million people, illustrates the fact that it’s increasingly harder to keep anything secret in a highly networked society. Even with good perimeter security, insider threats remains a possibility.
We need to move faster towards a society that has less dependency on keeping things secret and can recover quickly from large scale breaches. That’s the only long term solution.
One wonders how many records of innocent people, perhaps wrongly or falsely accused of fraud or theft, might be lurking on such a database. No doubt it will reduce crime. But it will also provide leverage for attempts at staff harassment.
]]>It’s an interesting development, though only time will tell as to how it develops and what value it adds. In practice many of these circles end up doing quite different things from what they originally expected to do.
FIRST, for example, has branched out into running corporate executive programmes, a far cry from its original techie focus. eema dropped its original title of “European Electronic Messaging Association” because it was too restrictive and now aims to address anything to do with identity and e-security. The Open Group has transformed itself many times since its predecessor, X/Open, was set up the early 1980s to agree a non-proprietary operating system standard for minicomputer vendors.
I wish them well. In the security world you live on your contacts. We can’t have enough of these circles, especially open, free ones.
That was the right decision. Two wrongs don’t make a right. No matter how helpful it might have seemed to intervene, it would have been unethical, illegal and a potential liability. Untested changes always present a degree of risk. You can never be sure what might result. And it’s the thin end of the wedge. Where might such a precedent lead?
For those that don’t know Lee, I should point out that he’s the guy who sold the concept of Information Warfare to the US Air Force. He’s also the father of intrusion detection. He developed the first commercial product, NetRanger, which Cisco immediately acquired.
For several years Lee has been working on voice firewalls, initially to help control and manage PABXs but increasingly as a solution to converged data/voice architectures. His company SecureLogix has a unique perspective on this solution space.
And the security risks presented by voice and data convergence should not be underestimated. Over the next few years we’re going to see increasing pressure for more effective architecture solutions.
I can understand why big vendors prefer to imagine a future free from single point solutions. But I find it sad and strange to hear customers complain about the number of security products available for them to buy. Bruce Schneier drew attention to that in his report of this year’s RSA Conference. His observations were correct, though I disagree with his forecast of the death of end user attendance at large exhibitions. In my view these events will go from strength to strength, as products proliferate and security becomes even more fashionable. 12,500 visitors are reported to have attended Infosecurity Europe. Next year’s event will be even bigger.
There are several reasons for the frustration of users. The market is immature and inefficient. Products are improving but marketing is still weak. I know that because I advise many start-up companies and venture capitalists. But inefficient markets present business opportunities. And networks are a powerful tool for improving searches and communications. That will all get fixed over time.
It’s also becoming much easier for customers to deploy new products when offered as Software as a Service. That at least overcomes the complaints of operations staff about the number of different boxes they have to install in their equipment racks.
I’ve pointed out before that acquisition of smaller products by bigger vendors will not reduce the number of standalone security products. The problem space is huge and growing. The solution space is tiny by comparison. What we’re really lacking is imagination. There is plenty of existing academic research to underpin dozens of new security product concepts that would deliver value to customers. I can think of several that are easy to build and that customers would buy. But we keep seeing variations of the same solution. A lack of creative product development is the real Achilles’ heel of the security market.
There's one or two interesting perspectives on current issues and trends. Both of them emphasise the importance of getting back to basics. Ray wonders whether public authorities are ready for another year of floods. Probably not. And Bruce is surprisingly optimistic about the future.
I was particularly impressed to find that Apple founder Steve Wozniak is on their advisory board. It just goes to show that at least some mainstream IT hackers (in the true sense of the word) have stayed close to their roots.
Steve Wozniak is famously connected with Blue Boxes, perhaps the earliest dedicated hacking tool. He probably understands security better than many CISOs. I wish them well.
Security SaaS has also become a widespread option for security services. IDS services such as Counterpane and email-scanning services from MessageLabs were first on the scene, followed by Qualys’s pioneering vulnerability scanning services. Over the past year we’ve also seen the emergence of further filtering services from Scansafe and Webroot, and application testing services from Veracode.
Security in the cloud was a common buzz phrase at Infosecurity last week. There’s a clear trend here and it’s a very useful one as it enables organisations to escape the restriction of having to operate exclusively through their corporate networks. Security SaaS is a major step on the road towards de-perimeterised business operations.
]]>Faster product cycles and growing complexity are obvious contributing factors. A further one might be the introduction of lead-free solder. But there is no excuse for not applying quality, durability and usability tests at the design and production stages.
And the same holds for software testing, but with the added need to eliminate security weaknesses in both the design and code. There’s no excuse other than ignorance because it’s not expensive to conduct tests at each stage. And it’s certainly a lot cheaper than applying post production changes.
One security testing product that caught my eye at Infosecurity last week was Veracode’s binary testing service which is fast, affordable and rapidly pinpoints security flaws. If it does half of what it says it does, it would seem to be a mandatory tool for application developers and their customers.
And of course if it was claims tested by the CESG CCTM scheme, then we’d know that it does what they claim. In fact all prudent organisations should mandate both security and claims testing. There’s no excuse not to.
But now you can see what’s planned across the Globe, as far ahead as you wish to look. The answer is to be found at INFOSECDIARY, a free online diary of forthcoming security events.
Amongst all the noise and bustle I managed to conduct filmed interviews for Computer Weekly with Ray Stanton, BT’s Global Security Director and Bruce Schneier. You’ll be able to see the results in a few days on the CW Web site.
As usual there was little that was truly innovative but many new products and a few interesting trends such as more focus on security “in the cloud” and data leak prevention, and better management tools to help tackle the increasing complexity of security solutions. I’ll be covering further highlights in later postings, so watch this space.
I have to admit that I’ve been a little disappointed in recent years. This gathering is the number one event in my book. It should be the smartest and most thought provoking of all of the international security conferences. London has the highest concentration of top CISOs in the World. Most will be attending and many are presenting. There’s should be plenty of thought leadership and innovation.
Infosecurity doesn’t suffer from the heavy vendor spin of the RSA conferences. The programme is a reasonable balance of user and vendor perspectives. And we have lots of top gurus in town, including Bruce Schneier.
Let’s hope it will set the scene for the Year. I'll be there for the duration. I’m certainly looking forward to connecting with my friends and forging new partnerships.
]]>This logic is based on an assumption that a higher level of security exists around large, centralised web-driven datacentres. Centralisation therefore enables increased security at a lower cost because of the economies of scale.
I can certainly accept that it’s cheaper to centralise security. You need fewer security staff. But there’s no such thing as a free lunch. Fewer staff and centralised storage of records will also introduce a few security risks that we didn’t have before. Of course not everyone is concerned about risks such as large-scale data compromises. They affect some companies more than others.
And that's why, when it comes to security solutions, one size does not always fit all.