Tuesday, June 30, 2009

[RANT] Call Me a Realist

Call me a cynic, a "doom and gloom" believer, a nay-sayer or what ever else you want - but understand that fundamentally I'm just a realist with a lot of experience in failure.

Hopefully you've had a chance to listen to the OWASP Podcast #27 featuring yours truly and heard my take on App Sec... If you haven't heard the OWASP Podcast yet, Jim Manico does an awesome job identifying, tracking down and interviewing people who have an influential role in web application security - and I for one feel honored that I was picked to be a part of that group. After listening to myself on the podcast I started to see what some of you guys had been telling me about myself - I make one hell of a cynic, don't I?

I sat and thought about it some, as the rains poured down over Progressive Field in Cleveland, OH (and the White Sox pounded the Tribe). Am I really a cynic or do I just know better than to expect something that will likely never come? I think the reality here is that I've worked in companies large and small, with funding and with a shoestring budget, well staffed and with a skeleton crew - and the result has been consistent failure.

Are we just physically incapable of writing good, secure web application code? Yes.

Well, no, take that back. In an imaginary world where we have unlimited time, unlimited tools at our disposal, everyone is well-educated (in security) and has an incomprehensible amount of intelligence for development... yea we'd still fail. You see good security is (like the devil) in the details. Put down the sharp implement and let me explain.

Even in a perfect world there are still things that the individual developer cannot control. In modern applications development it is almost non-existant that a single person writes an entire application without the use of either some code-generating tools, 3rd party objects/modules/includes, or additional support such as a horde of developers. This creates a condition known as "I-have-no-idea-what-they-did-but-it's-not-my-problem-itis" for which there is no known cure. Say, in this perfect land you have a group of developers that understands their tasks well, can secure their code and is smart enough to get support when they need it - but what about all the code they are re-using or integrating with? It's still unpredictable at best and who knows what sorts of security muster it's passed (or not). Someone once told me that we'd have no more code insecurity if we could just get rid of the programmers and replace them with re-usable code. I then reminded that person that someone had to write that re-usable code engine... which leads to the possibility for flaws.

Emerging from our perfect world where security still fails on occasion and returning to the real world we realize that we're under-staffed, over-worked, under-educated and under-budgeted. We've lost the race before the gun goes off. Chasing the big white whale becomes the dream of a madman. In a typical company where risks are a-plenty, and IT is up to its eyeballs in delivery issues it's a little difficult to suddenly step in and talk about security vulnerabilities like they're somehow more important than the 10,000 things that are already on fire. When the whole forest is on fire... which tree do you save first?

Enterprises and SMBs alike are looking to save money, cut corners (whether they want to admit it or not) and unfortunately security sometimes falls off the docket. Whether it's the security team's fault for not properly articulating the issue or the CIO's for simply not understanding the risks... the result is often the same. Somewhere in your business are thousands of lines of insecure, exploitable, and very lucrative code. Worse yet - that stuff has been there for years and now when you review a small snip that's changing and find that the whole thing has to be re-done... no one wants to pony up the money to do the work - right?

If you're not having too hard of a time explaining what it is you really mean by "we're going to be hacked" then you're figuring out how to get budget, or you're attempting to fit the notions of security into the greater SDLC... there's always a problem.

Think of it this way - as technologies become more complex security and development know less and less about each other's art - thus leading to a state where very bad things can happen in a heartbeat. This isn't magically going to get better when you wake up tomorrow. You're also not going to stop outsourcing, off-shoring, and doing development with teams that don't speak your language or understand your culture. Your ancient applications aren't magically going to be sunset in favor of their newer, more secure, versions. Things just aren't getting any better, this has been a trend since the mid-90's.

So... am I a cynic? Yea, I'm a cynic.
Why am I a cynic? I think it's because I know better, and I'm just a realist.

I do hope every day that there is a game-changer just around the corner. A new web development language that inherently disallows the developer to write insecure code, would be a great place to start! Until then ... Skeletor lives.


Dave Hull said...

Great post. Anyone who has been working on app sec long enough understands where you're coming from.

This domain has been studied for years and those who study it always come to this conclusion. Getting it right is hard.

Even the companies that do it well produce software with defects at the rate of nearly one per 1K lines of code and when you're talking about apps that run into the thousands, hundreds of thousands or even millions of lines of code, you're bound to get some flaws with security implications.

All that said, we still need app sec folks, even if it sometimes feels like we're hamsters running in place on that damned wheel.

Rafal Los said...

@Dave Hull-
Thanks Dave, that makes me feel a little better, given that I regularly get ridiculed for the gloomy outlook.

A defect rate of 1/1,000 sucks, when you consider that it only takes 1 missed sanitization of input to cause a catastrophic failure and complete compromise of a database, etc.

It's absolutely scary when you consider the tolerances we in Security work under... but yes, we need to keep moving on up that hill... in ankle-deep sand... with 1,000lbs strapped to our backs... against the wind :)

DanPhilpott said...

It isn't easy to say, but I think cynicism is the easy way out for people facing a difficult situation. It's so much easier to be cynical, to know better than others and smirk knowingly than to face the prospect of tackling a problem you don't think you can win. Cynics are worse than the dumb people they ridicule because they are aware of the problem but not part of a solution. It's the harder job to initiate and work on a solution knowing it is flawed and likely doomed but doing it anyways because it's better than the alternative. A realist turns to cynicism because they're too lazy to be an optimist. No, I was wrong. That was easy to say.

The notion of space is important in defining the American experience. We are a young country, with a bit over 230 years experience. We started out on the border of a huge territory, slowly grew into that space, developing culture and politics along the way. And in all that time we still didn't come up with perfect solutions. Computer programming is a young field and it has a vast territory to still grow into. It will be many years before the revolutionary upheavals slow and industry matures to a place where secure practice becomes more valuable than development speed. But that time will come.

You asked, "When the whole forest is on fire... which tree do you save first?" The United States has gone too and fro on that question as knowledge of the importance of natural burns became apparent. But now there's policy and procedure to aid the choice. If you want to know how to decide which tree to save read through the material at the National Wildfire Coordinating Group site.
It still only takes a single spark to light a fire but stewardship and response temper the outcome.

In both security practice and the life of a country time passes, experience increases and practice improves. That's how life happens and systems correct, time and necessity.

Rafal Los said...

I totally respect your opinion but I think you have me mistaken for some lazy jackass who just bemoans the problems we face rather than trying to solve them. I've spend the better part of the last 10 years solving these problems - on some of grandest scales there are.

The fact that I write about it, and consider myself a cynic means that I've been through it, and understand the challenges and why failures occur. I never said all is lost, give up hope and sit on the couch and eat Cheetos all day. Nay - I challenge folks to think differently and try and solve these gargantuan problems because at the end of the day it's issues like these that break people's will to continue... ask someone who's worked in an extremely large and politically-charged enterprise.

Anyway... I'm a realist, and a cynic; but don't confuse cynicism with laziness and unwillingness to do the needful.