Wednesday, February 25, 2009

Software security is an engineering problem

Designing software that is secure is a difficult prospect at the best of times. Defenders need to know what(assets) they need to protect and from whom (threats). Defenders need to ensure that all the holes (vulnerability) are patches, all the time with their limited budget, people & legal constraints. Attackers on the other hand need only fine one hole, often have ample time and opportunity. There's an asymmetry in resources.

Well it's not always easy to find your assets or know how to identify them. We only need to look at the GFC (Global Financial Crisis) to see the impact of not being able to identify and locate actual hard assets.

It's not easy to know whom you need to defend against. You want to make sure you have the right defenses in the right places where it will have the maximum bang for your buck. What about the people you trust, like Heartland? More than 500+ financial institutions now impacted at last count.

How do you find all the holes? Do you know where to look? If the experts who are creating the next generation of crypto routines can't get it right, what hope does your developers have?
Not to mention all the interesting ways your code and applications can be abused in ways you never thought possible.

Throwing technology (Firewalls, SSL, VPN, DLP, Anti Virus, etc) at the software problem isn't going to solve it either. It's an engineering problem, you need to build security in!

No wonder some of the best security guys I know have an engineering background.

No comments:

Post a Comment