Software security trends

Hello,

I have a general question for Kenneth van Wyk, Mark Graff, Dan Peters, and Diana Burley (of course other security experts' comments are also welcome): how has the general level of security changed over time? Is it getting better? Is it getting worse? Is it possible to make such a summary?

Thanks,
Piotr Kalinowski

I have skimmed the book and the authors discuss the division between security-focused teams and application development teams, the often adversarial nature of their relationship, and the problems that arise from this division.

This is my very limited view: it's a constant uphill battle to get application developers to even think about security much less do something about it. There are many factors that come into play: schedule pressure, lack of expertise/education, continuous and rapidly changing technology landscape, etc. It seems like it's only when there's some kind of serious security breach in the system that application developers and business users actually go back and say "You know, we should probably make that more secure."

Hi, this is Mark Graff, responding to Piotr's question about whether security is getting better or worse over time.

I have been working on software and enterprise security professionally for almost 30 years, so I've seen a lot of the history go by: hundreds of serious compromises and thousands of serious vulnerabilities, over a hundred new major tools for the good guys, dozens of major new companies, hundreds of billions of dollars invested. Here is my sense of the trends.

For a baseline point for comparison, let's take the year 2000. We had just gone through one of the largest engineering projects in history -- remember Y2K? -- and software quality was at least a topic of discussion in board rooms for the first time. So, since 2000:

1. Defensive tools (static and dynamic code checkers; firewalls, intrusion detection and prevention tools; log file integration and search capabilities; Web Application Firewalls; alternative non-password authentication techniques; software development life-cycles based on security, with sound practices and policies) -- these are vastly improved. A business with today's tools in yesterday's threat environment would have been fairly well off.
2. Offensive tools and techniques (vulnerability identifiers and probers; SQL injection and other database and web-based attacks; spear-phishing and social engineering, fueled by social media; complex, metaphasic attacks of the Stuxnet class; distributed denial-of-service attacks based on compromised data center servers and botnets; state-level investment in attack tools and teams) -- these have also vastly grown, and have I think continuallyoutstripped the defensive tools in range, power, and effectiveness.
3. Awareness of the cyber problem is much broader, and I think media coverage may be somewhat more responsible -- still fraught with misunderstanding and technical mistakes, but less sensationalistic and more cognizant of the real risks.

So there are three trends. Probably more important than these, though, is a fourth:

4. The number and criticality of the functions in our society dependent on good information security has increased, year over year, to such an extent that the overall risk has I think increased immeasurably. To sum up, I think that the technical balance of offense versus defense is worse; governmental and commercial awareness of the cyber risk is much better, and the resources committed are climbing every year, which is a good thing and counterbalances the worsening technical state; but the continual move to Internet-reliant technologies and services means that ultimately we are more vulnerable today to cyber attack than we were at the turn of the century.

So -- my individual opinion only, of course -- I think we are demonstrably worse off than we were in the year 2000.

-mg-