I don't have anything against the sport, in fact I think that if the software security people want to get in the enterprise security game they have to get a lot better at golf. I blogged about how the network security sector is about fifteen times larger than software security sector, prompting one person to write saying that we have invested wisely in network security, eliminated the problems and will address the software security problem with internal processes and tools.
The problem is that compared to software security we are clearly overspending on network security, the hardware/software is unchanged for a decade - in any other area of computing the cost would be falling like a rock (how much would 1995 version of Oracle or Windows cost now? 5 cents on the dollar, yet CISOs still cut $900M worth of checks to Checkpoint each year). The problem is there is no market effect because the CISO's budget keeps increasing and they have no idea what/where/how to spend so they just play golf with their Checkpoint rep and send in the renewal.
Internal processes and tools are necessary yet nowhere near sufficient to "solve" software security. One reason we "have gotten rid of" network attacks is that no one cares. its a 1990s 31337 attacker goal, not a mafia enterprise goal (botnets aside). business, be they legit or criminal, wants data and functionality. so its all about apps and data. we are just at the very begining crawl stage of even understanding how to solve these problems. That's why when i hear security consultants harsh on something like static analysis I just laugh. are they better than a top 1% resource in the world? no way. do we have a multi billion dollar gap to close? ya sure, ya betcha. We need things that scale.
People dont write their own virus protection, but for some reason attempt to do their own input validation, it is the same exact problem. people routinely write their own authentication, authorization and audit. i could go on.
I have rarely seen an industry so ripe for disruptive innovation as software security.
Great article and comments.
Being hash on static analysis has its place.
So it's not the tool itself. Heck, I'm currently running findbugs and a commercial product on a 18k LOC Java Project right now.
What I'm harsh on are companies that run static code analysis tools as their primary or only method to secure applications. That's foolhardy and provides a false sense of security.
Software Security is a L:O:T more difficult that NetSec and requires the 4-pronged punch of automatic code analysis, manual code and architectural review, automatic scanning and manual pen testing. We are not talking about proprietary network devices - these enterprise apps are clay.
The manual processes are very appropriate for security-critical apps, and while not scalable, are appropriate when used judiciously.
Posted by: Jim Manico | August 27, 2008 at 06:09 PM