alphaspirit - Fotolia
I've been writing this column, originally as a debate with Bruce Schneier, since April 2006 -- so 12 years. In that time, I've enjoyed the opportunity to air some of my favorite themes in computer security -- sometimes subtly, other times less so. It's time to stop; I'm starting to repeat myself, and my view of the trajectory of security has been getting more jaundiced. So, I'd like to thank you all and move on to other things.
From where I sit, I see security as a side effect of poor development and systems administration. On the theoretical front, we've got to worry about sophisticated subversion attacks launched against us by our own governments. In practice, though, our problems stem from the fact that developers are sloppy and the environments in which software is developed favor speedy rollout of features over reliability. If that weren't bad enough, management has systems administration costs in the crosshairs for cost-cutting. Systems administration is a problem that has not been solved; virtualization and deployment tools are rarely used effectively -- I've lost track of the number of organizations I've talked to that use configuration management tools to deploy operating systems, which are then fielded and allowed to rot.
I know I'm not alone among the many security thinkers who have been saying, "This will not do." And it won't -- what we need is better software and more reliable systems; what we got is tools for deploying more bad software faster, and mistaking redundancy for reliability. It's hard not to see DevOps as a further step down the wrong path: Putting developers in charge of system deployment and configuration management looks like the beginning of a fight to the death to eliminate systems administration; the fight for budget dollars has begun. Developers don't know how to write secure or reliable code, and they won't do any better running reliable production systems and writing code either. Don't worry, it'll sort itself out, eventually, but the wheels are going to fall off the pram a lot first. Perhaps, someday, users and customers will get tired of running endless versions of self-updating beta-test-quality code.
A theme I've avoided until now is governments' malfeasance in cybersecurity: We've got our own intelligence agencies weakening and back-dooring systems (while we complain about China) and spending vastly more money on offensive weapons than on the bread-and-butter of defense. Every assessment of government IT security returns failing grades; the offensive cutting-edge couldn't keep its arsenal secure, and now we're being hacked with weaponized versions of U.S. government-funded malware. I'd say "the jokes write themselves," except none of this is funny at all. It's worse than simple hypocrisy and wasted money -- it's fundamentally bad strategy. The Department of Glass Houses should not be leaking its cache of automated stone-throwers.
There are some positive signs. After 20+ years of going to conferences, I seldom see "booth babes" at the more mature, bigger money conferences. Women and minorities are leaders in the field, but their contribution is not as well-recognized as us white guys, so I went out of my way to use the column to spend time learning about some of the female power-hitters. A lot of work remains to be done; Silicon Valley's venture capitalists are leaving a great deal of intellectual capital on the table, and doing that makes us less competitive, not better.
The truth remains that "you can have cheap, fast or good -- pick two." IT is hard and IT security is harder, because it's dealing with the consequences of the increasing complexity of virtually everything. After these years of watching the security industry evolve, I worry if we've been doing things backward all along: security problems result from complexity, so maybe adding more complexity in terms of security processes and technologies is just putting out a fire with gasoline. I worry about my field, I really do, because I think our strategy is misplaced -- we need zero systems administration operating environments, managed runtimes, and better software, not more 1U beige boxes that generate alerts for nobody to look at.
Interesting things are coming down the pike. AI shows some promise for basic task automation, and cloud providers and SaaS vendors have licked configuration management. Beware of lock-in, of course.
If I may leave you with a parting thought, it's this: It's all software, which means that it needs to be developed, maintained and managed. I've talked to some executives who say, "Our company doesn't do custom software." And that's just nonsense -- I don't care if it's code, you're writing in C, or if it's router configuration rules, SQL database calls or alert suppression rules in your SIEM. It's all stuff that has to be developed, maintained and managed. One of the executives who said, "Our company doesn't do software," had just been complaining that they were having trouble upgrading multiple Java virtual machines because of compatibility issues. It's code: You have to develop, maintain and manage it. Humans don't do that very well, and that's why we have this field called computer security.
Thanks for listening all these years,
- State of Software Security Developer Guide –Veracode, Inc.
- The State of Software Security: Developer Guide –Veracode, Inc.
- Secure Software Development in the Financial Services Industry –GitHub
- Security at the Speed of Software Development –WhiteSource