Friday, August 2, 2013

REVIEW: RVAsec 2012 - Software Security: A Waste of Time?

RVAsec 2012 - Software Security: A Waste of Time?

This is a presentation at a security conference covering the value of the Microsoft SDL.  He shows that some measurements are not necessarily valid, but comes out believing that the Microsoft SDL is definitely worthwhile, whatever the net impact on vulnerabilities, as it is a more proactive approach rather than a reactive one.

He recommends running all freely available fuzzing tools against your system since someone will eventually do that and you may as well catch things before they do.  He recommends reviewing the SANS Top 25 App Security vulnerabilities annual list.  A question is asked at the end about applying the SDL to agile, but he basically says “it’s hard” and “work through things” rather than providing much clear guidance.

Thursday, January 24, 2013

It is a Dangerous World

I was fighting off the flu along with some personal business during much of the Java hoopla, but it reminds me that we live in a very dangerous world.  I suspect we will find that all kinds of core tools have major flaws in them.

Some of this is because most development is not done with security in mind, even in organizations where that is supposed to be a priority.  Getting things working and out the door is far more important in many cases.  This is logical since that is how money is made, but it is ultimately dangerous since it is also how money can be lost.

Though the lost money often comes at the expense of others, so the risk is not properly applied in that sense, making for somewhat perverse incentives.

It is like the credit card brands pushing the issues of compliance on card processors instead of providing a much more secure structure themselves.

I don't see any good solution to this.  A recent article made a good point that we cannot stop using the technologies that have enabled the productive use of modern technologies.  The challenge is going to be figuring out how to do so in spite of such flaws.