Bill’s Security Blog

I saw the following quote in a post on the Security Focus website regarding the bug in Debian and Debian derived distros:

The latest flaw was introduced in the system because developers removed a line of code that had caused warnings about the use of uninitialized data when any program was linked to the OpenSSL library, [HD] Moore said.

It got me thinking back on the days when I was reading software engineering material like there was no tomorrow…

When I see a flaw like this, I think of all the areas where the flaw should have been caught prior to release:

• Code reviews, especially of critical/security systems
• Change/configuration control
• Testing

Though at one point in my life, I had visions of pure, mature software development processes being followed without fail in software shops around the world, I’ve come to believe that dream is a myth.

But for the love of god and all that is holy, if you are going to edit software that’s at the center of a security product or pipeline, you should be doing so within the realm of strict process.

I know there are a lot of developers out there who are editing code without much regard for process, but I urge you, think…

I urge every developer to take some time to refresh their understanding of what good software process is.  Though you may not follow it at the organizational level, we, as individuals, can bring some quality to what we do.

Here’s a few of my favorites:

• Software Release Methodology
• A Discipline for Software Engineering
• Testing Computer Software
• Planning Extreme Programming - read all software process books you can, esp the Rational books
• After the Gold Rush - Read all Steve’s books
• The Pragmatic Programmer

Read as many books in the fields of software process, lifecycle, engineering, testing as you can.  Don’t forget configuration control.

Bill

Here’s a few quotes from an interesting article I found on eSecurity Planet.

“Gartner analyst Rich Mogull, one of the authors of the report, said that doing vulnerability research in public comes with ‘high risk.’”

“‘TippingPoint cannot abdicate responsibility here. And if they do participate in this kind of contest, they need to understand that they’re going to undergo criticism from industry experts like myself,’ he said.”

The focus of the article is not about the ethics of selling vulnerabilities, but on whether or not we should hold public contests to discover them.

The argument is that these contests generally reveal zero day vulnerabilities.

Industry expert!?  I think this guy Mogull is clueless.

First, he uses his weight as a big-man at Gartner to threaten retaliation for holding these types of contests.

Second, he does not have even a basic understanding of human nature.

Highly public, highly visible contests like this are good because:

1. They educate potential novices on the art of discovery.
2. Basic human nature is to work for good rather than evil.
3. Combining 1 and 2 should lead the non-dimwitted to conclude that we will end up with more “security researchers” than haxorz.
4. The public nature of the contest is an indicator to vendors that they better get their heads out of their butts when it comes to developing secure software.

I, personally, would rather see a vulnerability discovered in a public forum than in some rogue attacker group that will use the discovery for nefarious purposes…

Just my $.02

Bill Gross

From May 30th on SearchSecurity:

The search engine giant announced this week it has acquired Mountain View, Calif.-based security firm GreenBorder Technologies Inc., which specializes in sandbox technology to defend email and Web users from malware.

I’m not sure what to think here.

Since Google appears to be making headway in the client tools arena, it might be good that it wants to protect users from malware.

But the “I’m an investor” side of me makes me think, “deworsification” - a term I believe is attributed to Peter Lynch.

The idea is that many large companies start out really smart, with a focus on one really good idea or product.

Once that starts doing well, the company gets a little bigger, and they start to diversify.  In most cases, this is bad both for the company and for its investors… Hence, the diversification is really deworsification…

As an investor in Google, I’d be worried unless Google comes out with a really solid, highly visible, easy to understand vision for where they are going.

This vision is something Microsoft has mastered, but I’ll never own Microsoft stock again.  I should leave emotions out of it, but I feel like buying stock in Microsoft is condoning their horrible business practices…

Bill Gross

On February 6, 2007, eSecurity Planet ran an article on their site titled “Is the Mac Really More Secure than Windows?”

Right off the bat, I want to beg the reader’s forgiveness for the harsh tone of this post.

Here’s the deal.  I really, really hate articles like this for several reasons:

1. The question, in it’s very essence, is meaningless.  How on earth can any reasonable person hope to answer that question.  Asking “is Mac more secure than Windows” is about as meaningful a question as, “is my watch  easier to read than yours?”
2. Because of the senselessness of such questions, it makes me sad to see someone who is a “20-year veteran of IT security” actually trying to address it.
3. Putting 2 and 3 together, the article, in my mind, discredits Ken van Wyk (the author), eSecurity Planet, and gives security professionals a bad name in general.

Now, I’m not saying Ken van Wyk is not a bright guy, but reading the article, I sense that he is dancing around the elephant in the room.  IE, there is no reasonable way to answer the question he’s writing about.

He starts by trying to clarify his assertion that he is more secure on Mac because of his familiarity with the platform.  This clarification leads to the conclusion that what he’s about to say may not apply to someone (or anyone for that matter) else.  Reasonable, valid, and I’ll touch on this more in a minute.

But then he goes on to, IMHO, arbitrarily select a few feature differences between the platforms and then, gasp, assigns what appear to be completely arbitrary scores to each platform based on those differences with respect to which implements a feature in a more secure manner.

I don’t want to get into this article too much, because most of it is absurd on it’s face, but I want to draw the reader’s attention to one point Ken did make, and to which I agree.

Let’s take a quick look at what I believe is the only substantive statement that Ken makes:

“For starters, please note that I didn’t say that OS X (Tiger) is more secure than Windows (XP, Vista, or otherwise). No, that’s not at all what I said. I said I’m more secure on a Mac, and I truly believe it.”

The last part of that paragraph touches on why the entire debate is completely absurd…

“… I’m more secure on a Mac, and I truly believe it.”

Define security.

Do that and you see the complexity of answering this question.

As an employee of my particular organization, I say I’m infinitely more secure on a Windows box than a Mac box.  “Why,” you ask?  Because my Windows box implements and complies with my corporate information security policy, and a Mac box does not.

You must define what security is in order to evaluate which platform is more secure.

So, I’ll give Ken credit for clarifying that he is more secure on Mac than Windows, but reader be warned.  You must develop your own “security policy” before you can begin to explore which platform you are going to stand behind.

And once you choose, don’t  try to assert that that your conclusion is what I need, because there is good reason to believe that it isn’t.

I call on all security professionals to bust out the “please define security before I answer that question” clause.  Doing so not only increases credibility, but also helps alert the noob asking the question to the fact that, well, to the fact that he’s a noob for asking.

Bill Gross