REVIEW: RVAsec 2012 - Software Security: A Waste of Time?

RVAsec 2012 - Software Security: A Waste of Time?

https://www.youtube.com/watch?v=vtGXgRQXE4k

This is a presentation at a security conference covering the value of the Microsoft SDL.  He shows that some measurements are not necessarily valid, but comes out believing that the Microsoft SDL is definitely worthwhile, whatever the net impact on vulnerabilities, as it is a more proactive approach rather than a reactive one.

He recommends running all freely available fuzzing tools against your system since someone will eventually do that and you may as well catch things before they do.  He recommends reviewing the SANS Top 25 App Security vulnerabilities annual list.  A question is asked at the end about applying the SDL to agile, but he basically says “it’s hard” and “work through things” rather than providing much clear guidance.

It is a Dangerous World

I was fighting off the flu along with some personal business during much of the Java hoopla, but it reminds me that we live in a very dangerous world.  I suspect we will find that all kinds of core tools have major flaws in them.

Some of this is because most development is not done with security in mind, even in organizations where that is supposed to be a priority.  Getting things working and out the door is far more important in many cases.  This is logical since that is how money is made, but it is ultimately dangerous since it is also how money can be lost.

Though the lost money often comes at the expense of others, so the risk is not properly applied in that sense, making for somewhat perverse incentives.

It is like the credit card brands pushing the issues of compliance on card processors instead of providing a much more secure structure themselves.

I don't see any good solution to this.  A recent article made a good point that we cannot stop using the technologies that have enabled the productive use of modern technologies.  The challenge is going to be figuring out how to do so in spite of such flaws.

Don't Plan Because You are Uncertain?

Don't plan for uncertainty until you are certain:

http://www.csoonline.com/article/721150/certainly-uncertain

This humor comes too close to reality in many organizations.

The CISM

I never did post a note here that I finally got all the paperwork in for the CISM.  I passed the test a while back, but it took a bit to follow up with the paperwork.  One challenge I see is that it is much more limited about what will qualify for CPEs. 

I listen to a lot of podcasts and while the CISSP allows those, the CISM appear to not count them.  Going and sleeping through a conference is fine as long as you have the piece of paper at the end.  I will have to keep my eye out for valid outlets to keep this updated.  Fortunately it looks like the classes I teach will help, so I may not have as hard a time as it seemed at first.

Congress is not Always the Solution

Good thoughts in the latest Salted Hash commentary.

http://blogs.csoonline.com/security-leadership/2458/dear-congress-please-keep-your-dirty-hands-cybersecurity-email-privacy

The danger is that so many fail to realize that things like this have great potential for abuse, especially of those with low personal restraint.  Anything could become a national security issue and could justify spying.  It is quite dangerous to trust government to protect us in all areas.

Quality Software is Secure Software

The focus on software development is usually getting the system completed on time and hopefully at or under budget.  Some organizations may even add a requirement that few known bugs may ship with the product, though the amount of testing and validation of that can vary greatly.

The security of those systems usually comes some position after that, especially if the organization doesn't have a regulatory requirement for that.  In fact, even those organizations may only pay lip service to the need for secure software until they face a breach of their own.

Much of that is driven by business needs.  The eyes of the leaders is on profit and loss (as it should be) and the new system needs to be available to help with the profit of raising income for the company.

This is as it should be, since a company without income and profits will soon be out of business, but it minimizes the impact of defects and security flaws on the business.  Some organizations are starting to understand that defects can be costly, but only a few of those realize that security flaws are just another kind of dangerous defect.

Realizing this would help make educating people about the value of preventing or quickly fixing defects or security flaws more effective since only one message would need to go out.

I Passed the CISSP!

I just found out that I passed the CISSP exam I took several weeks ago!  I was surprised, but this turned out just like my CISM exam.  I thought I failed that too, but now I have the key information security certification under my belt to go with all the other hands on ones I have completed!