|Sustainability News Photo |
[Updated Post Friday October 25, 2013]
The pollution vs. security analogy still resonates with me but there is a flaw in the model I’ve been pondering – and it’s significant. Most often (but not always) pollution is visible. When your stuck in traffic smog hangs like a cloud. The air stinks. Likewise, a polluted river or stream is usually easy to spot. The breakdown in the model is that poor security not easy to identify. Although the effects of poor security usually become apparent.
Sure, computer security sucks but who’s to blame? Do you blame the hackers? These criminals are the pirates of the Internet, exploiting vulnerabilities in our applications and plundering our data! But wait a minute, what about the careless application programmers writing vulnerable code? The test team failing to discover the security flaws? How about the companies we trust to guard our personal information? Likewise, the Governments we trust to keep us safe? Who’s fault is bad security?
In September of 2010 I attended the Open Web Application Security Project(OWASP) conference in Irvine, California. David Rice, leader of the Monterey Group and author, provided a powerful key note presentation. It’s a message that resonates loudly with me today. Mr. Rice draws an analogy between pollution and security. In the heyday of the industrial era pollution was seen as the mark of prosperity and if you not polluting your not prosperous. After decades of environmental destruction and sickening our people, laws and attitudes changed.
Today we see pollution as toxic to the environment and it is not an acceptable consequence of successful business. Security is following a similar trajectory. Today poor security is largely an acceptable consequence of writing software. After all hackers are really smart and writing code without vulnerabilities is hard – right? Writing secure code costs lots of money, stifles creativity, and productivity – correct? Our parents heard similar, “can’t have your cake and eat it to”, arguments but it was the 50’s and the subject was industrial pollution. Play it forward, now it’s almost exactly two years to date since Mr. Rice’s OWASP key note. What’s changed? Attitudes, if however slight. People are fed up and begging for some accountability.
I saw an article on TechRepublic about holding software developers accountable for their security vulnerabilities. The argument is that if your hamburger is poisoned you can sue the restaurant. But if a computer hacker steals your credit card information, destroys your credit rating, and makes your life a miserable hell, why can’t you sue the software developer? For starters, your not bound by a End User License Agreement(EULA) when you eat a hamburger. On the other hand, last time I clicked to accept new terms for iTunes on my iPhone it was more than 60 pages. That’s more paperwork than I received when purchasing my first home! Honestly, I don’t know what the hell I accepted but I guess somehow it’s legally binding.
Today products are generally considered secure unless they are proven vulnerable. Consumers have no good way to evaluate product security without expensive testing. It’s too easy for companies to say products are secure, roll the dice, and risk falling short on promises. As a result, there’s really is no incentive to make deep investments necessary in security. Invest too deep and your products are not competitive. To be clear, nobody ever says do a bad job, what happens is that security resources are not funded to match the level of risk.
For epic change to occur, businesses must compete on a level playing field. If product security posture were as easy to evaluate as choosing a loaf of bread in the supermarket all vulnerabilities would be fixed overnight. What seems more likely is accountability will be established through changes to laws and litigation, or yup you guessed it, regulatory compliance. I’m not a big fan of more government in my life but then again such regulation has been overall beneficial for the environment.
An aside, on NPR News not long ago, I heard that plants producing frozen pizza are inspected by the Food and Drug Administration but frozen pizza with meat is inspected by the U.S. Department of Agriculture. The government needs to draw the line somewhere and evidently it’s directly down the center of your pizza. Likewise, any regulatory path for security will produce few a mushrooms along the way.
 The Monterey Group, http://www.montereygrp.com/about.aspx
 Rice, David. “OWASP AppSec USA 2010: Keynote: David Rice 1/3.” David Rice Key Note. Irvine, California, 2 Sept. 2010. YouTube. OWASP, 04 Dec. 2010. Web. 03 Sept. 2012. <http://www.youtube.com/watch?v=55R7qUcfXzo>.
 The Open Web Application Security Project, https://www.owasp.org/index.php/Main_Page
 Heath, Nick. “Should Developers Be Sued for Security Holes?” TechRepublic. TechRepublic, 23 Aug. 2012. Web. 02 Sept. 2012. <http://www.techrepublic.com/blog/european-technology/should-developers-be-sued-for-security-holes/1109>.
 Sustainability News Photo. Digital image. Climate Protection. City of Las Vegas, 3 Sept. 2012. Web. 3 Sept. 2012. <http://www.lasvegasnevada.gov/sustaininglasvegas/16030.htm>.
 Naylor, Brian. “U.S. Considers Overhaul Of Food Safety System.” All Things Considered. National Public Radio. California, 4 Sept. 2012. NPR. NPR, 25 Feb. 2009. Web. 04 Sept. 2012. <http://www.npr.org/templates/story/story.php?storyId=100830170>.