This document discusses inconvenient truths about software security. It notes that there are no standardized security metrics, making it difficult for customers to assess security. It also draws parallels between global warming and the growing impact of insecure software. The document argues that secure software does not currently make business sense for vendors due to a lack of incentives. It warns that society's heavy dependence on software leaves it vulnerable if attacker business models evolve to more effectively monetize exploiting insecure systems at scale. Overall, the document presents several inconvenient realities about the current state of software security.

1. Inconvenient Truth(s)
Dinis Cruz,
SANS “What Works in Application Security”

2. 2
Who am I?
 Director of Advanced Technologies, Ounce Labs
 Chief OWASP Evangelist
 Independent Consultant, various
 Skills:
– Researcher on .NET Security
– Reverse Engineering
– Source Code Security Reviews
– Development of Secure Architectures
– Developer (from ASM to C#, from Amiga to x86)
– Irreverent

3. 3
Inconvenient Truth
 Software security is a mess!!!!!
 Not because the software industry creates exploitable
vulnerabilities, but because it doesn’t understand what those
vulnerabilities look like and doesn’t learn from past mistakes!
 The buyers/users have no visibility on the ‘real’ security status of
our software world
 Software is everywhere (from cars, to websites, to medical
appliances, to banking systems, to toys, to elevators, to weapons,
to communication devices, to energy transportation systems, etc…)
– Our society is currently very dependent on software and will become even
more in the future
 And nobody has a complete picture of how big this mess is, since
its complexity has outgrown the human capacity to analyze it!

4. 4
Inconvenient #1
There are no metrics!

5. 5
There are no metrics!
 How can customers purchase
secure solutions if they can’t
measure security?
 I know more about an
Orange Juice I buy from the
local store than I know about
the software I buy (winzip for example)
 My only decision is to
accept (or not) the EULA
 Image from OWASP’s metrics project
& Jeff Williams’ Presentation
(http://www.owasp.org/index.php
/Types_of_application_security_metrics)

6. 6
Inconvenient #2
Global Warming ~ Software InSecurity

7. 7
Global Warming ~ Software InSecurity
 Al Gore’s Global Warming
– Should in fact be called
The impact of Mankind on Earth’s Ecosystem
 Both are man made
 Both are the results of Complex Systems
and feedback loops whose consequences are not fully
understood
 Both are actually an Accountancy and Economics
problem
 Both ‘could’ have disastrous consequences

8. 8
Inconvenient #3
Secure software doesn’t make business
sense

9. 9
Secure software doesn’t make business sense
‘Information security is not a technological problem. It is an
economics problem. And the way to improve information security is to
fix the economics problem. If this is done, companies will come up with
the right technological solutions that vendors will happily implement. Fail
to solve the economics problem, and vendors will not bother
implementing or researching any security technologies, regardless of
how effective they are.’ Bruce Schneier
 See John Viega’s (Vice President and Chief Security Architect of
McAfee) BlackHat 2007 presentation: Building an Effective Application
Security Practice on a Shoestring Budget
 This presentation makes the business case for not investing on
Security!
“If I know that doing a security audit on product XYZ I will find (per Mloc) 90
serious vulnerabilities (30 Critical, 60 High), but in the past year only 1 of those
vulnerabilities have been publicly disclosed, then it is cheaper to have a small
and agile CERT, than it is to find and patch those issues before shipping”.
John Viega

10. 10
Inconvenient #4
Secure software doesn’t make business
sense

11. 11
Secure software doesn’t make business sense
 Clients are not able to measure the ‘security’ of the products
and services they are purchasing (or developing)
 The attackers are not exploiting the vulnerabilities created by
insecure applications / solutions
 Governments don’t know what is going on (or what to do)
 Software companies (both traditional and Open Source) are
rewarded (with sales or eyeballs) for delivering:
– Features that either (from the users point of view):
• a) improve business operations
• b) increase profitability
• c) create new sources of revenue
– Performance, Scalability, Reporting
– Time to market
– GUIs (ease of use)
 In 2007 Software Security is still a ‘damage control’ exercise
and only short-term actions are implemented
– Important note:
This would not be a problem if the attacker’s business model
wasn’t evolving

12. 12
Inconvenient #5
Our systems are safe today!

13. 13
Our systems are safe today!
 How many people in this room have suffered ‘severe’
losses (either economical or personal) due to a
criminal exploitation of vulnerabilities in Software?
 How many companies bankrupt?
 How many wars started? Or won?
 How many lives lost?
 How many dollars lost?
(as a percentage of profits/losses)
Interesting statistic: In the UK, in the
assessment of road building schemes,
lives saved due to road safety
improvements are valued at around
£1 million per person.
http://news.bbc.co.uk/1/hi/world/europe/6597743.stm

14. 14
Inconvenient #6
Our systems are safe today!

15. 15
Our systems are safe today!
 Apart from:
– Kids
– Criminals with simple malicious business models:
• spamming, phishing, credit card fraud, software piracy
• sell compromised accounts (& bot nets)
• blackmail
• obvious (& easily detectable) stock market manipulation
– Small number of elite criminals who know what they are doing
and never will be caught
 We are pretty safe!
– Which is good because our defenses (AV, IDS, IPS,
Operating Systems, Applications) are not able to contain
targeted attacks by skillful and knowledgeable attackers

16. 16
What is RISK?
 RISK = Vulnerability * Impact * Frequency
Number of Attacks
Frequency = --------------------------
Time Period
Number of Attacks
RISK = Vulnerability * Impact * --------------------------
Time Period
 At the moment (Aug 2007), we are in a LOW RISK DefCon mode:
– the Vulnerabilities and Impact are very HIGH, but
– the number of attacks (over the last years) is very LOW

17. 17
Inconvenient #7
We will be doomed!

18. 18
We will be doomed!
 If the business model of our attackers evolve!
 If these attackers are able to make money by exploiting
our insecure software / web applications
 If the number of ‘profitable’ attackers reaches critical
mass
 If we don’t change our current software development
business model
 If we don’t change our understanding and visibility of
the security implications of our interconnected
systems
 If we are attacked directly!

19. 19
Inconvenient #8
The attacker's business model is still
immature

20. 20
The attacker's business model is still immature
 Mainly still:
– spamming, phishing, credit card fraud, software piracy
– selling compromised accounts or botnets,
– blackmail
– obvious (& easily detectable) stock market manipulation
 We will have a serious problem when the attackers are
able to monetize digital accesses to company’s:
– Content Management Systems
– Backend Transactions Systems
– Digital assets (Emails, Documents, VPNs)
– Payment Systems
– Business related assets:
• Capability to do business
• Availability of Services
• Confidentially of information stored / processed
• Data Integrity

21. 21
‘Software enabled’ malicious business models
 Sell Business Intelligence (& victim’s assets)
– From corporate espionage to selling airline tickets via compromised ‘Air
Miles’ system
 Stock Market Manipulation
– What if 10% of all stock market transactions were not real?
 Accounting Scams
– Enron via database manipulation, money ‘creation’, money laundering
 Control media agenda
– Mind control, political agenda control, elections manipulation
 Serious blackmail / credit card fraud
– James Bond style
 Destruction of financial organization to hide bad investments
– Think ‘Hedge fund gone bust’ with interest in wiping Bank’s XYZ debt
management system (which is only a database after all)
 Artificial ‘lack of energy resources’
– or other consumer goods
 Digital Wars
 Etc… (ask DHS or Bruce Schneier for more movie plots
stories)

22. 22
Inconvenient #9
Physical Extremism doesn't scale
(but Digital Extremism does)

23. 23
Physical Extremism doesn't scale (but Digital Extremism does)
 Extremism is part of our world
 Physical Extremism (from Islamic Terrorism, to Animal Right’s
campaigners, to Environmental activists) doesn't scale:
– Good at delivering one-off hits
– Hard at creating large numbers of attacks
• High exposure when delivering attack usually compromises cell (and its
connections)
• Hard to do without strong grass roots support (which protects the attackers)
– Successful attacks can’t be easily replicated and executed on other locations
 Digital Extremism will scale since they could bring our economy
down (think: Stock market collapse, debt vanishing, etc…)
 The good news is that there is limited money generated by
Extremist actions (and lets stay away from ‘conspiracy theories’ :)).
– This is actually the most important point, because at the end of the day what
matters is MONEY (which is why the business model of the attackers matter
so much)

24. 24
Inconvenient #10
We need better engineering

25. 25
We need better engineering
 Software engineering today is (in most cases) still a
very immature process
 Just compare it with how Microchips are designed,
tested and deployed
 Software ‘soft’ capabilities are its downfall
– Hey, if there is a problem, we just issue a patch later ! (the
customer will never notice!)
 Even companies who were ‘forced’ to take security
seriously (Microsoft) are still on a reactive mode (and
are not learning from past mistakes)

26. 26
Inconvenient #11
We need containment

27. 27
We need containment
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
 Where we are going on the right direction:

28. 28
Sandbox anybody? (or ‘Can I 0wn you please?’)
 And where we are NOT going on the right direction:
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.

29. 29
Going mobile
 Who owns an iPhone? (can I 0wn you too?)
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.

30. 30
Inconvenient #12
Open Source security is a myth

31. 31
Open Source security is a myth
 ‘Many eyeballs’ is true, but the number of eyeballs with security
knowledge looking at Open Source projects is very limited
 The fact that the code is available doesn’t mean that somebody will
actually review it
 Non existent Open Source culture and processes to perform regular
manual and tool-based source code reviews
 There is no certification of ‘secure’ Open Source applications
 Open Source community think they are secure
 Very few seem to understand the problems with user-land security
(mainly due to the lack of attacks)
 Open Source community doesn’t want Full Disclosure of Zero-days
(their ‘responsible disclose policy’ is very similar to Microsoft’s one)
 Bottom Line: The fact that an application is Open Source doesn’t make
it secure
 And since its users can’t measure the security of the Open Source
tools they are using, several Open Source projects shown the same
disregard for end-user’s security as its ‘proprietary’ counterparts

32. 32
Inconvenient #13
Most Source Code must be disclosed

33. 33
All Source Code must be disclosed
 That said, we (the clients buying and using software)
need access to the code in order to review and analyze
its security
 For the ones that don’t have those reviewing
capabilities in-house they should be able to pay
independent companies to do it
– Even governments should be involved in these evaluations
 The days of selling ‘black boxes’ that nobody knows
what is inside are numbered
 Note that this doesn't mean that all software will be
Open Source (just that its code will be available for
review)

34. 34
Inconvenient #14
Most IT Security products have negative
ROI

35. 35
Most IT Security products have negative ROI
 Anybody want to challenge this item?
 Note that most ‘security products’ are developed with
the same mind-set and priorities of normal software
which means that making it ‘secure’ is usually not on
the ‘real’ agenda
– Unfortunately, today, it doesn’t make business sense to
create ‘secure’ Security Software
– Note how many vulnerabilities exist in ‘Security Software’ (and
appliances)

36. 36
Inconvenient #15
The long tail of attackers is saving us

37. 37
The Long Tail of Attackers is saving us
 Will this shape continue?
 Most capable to exploit seem to be
employed by you with no
motive to go to the ‘dark side’
 Is our current ‘mess’
creating a new generation
of attackers?
– Currently making money by
exploiting (for example):
• online gambling
• community websites
• vulnerable eCommerce websites
http://en.wikipedia.org/wiki/The_Long_Tail

38. 38
Inconvenient #15
The 'digital Armageddon' will never
happen

39. 39
The 'digital Armageddon' will never happen
 We are very close and it can be done (for 10 years at least)
 Super-Elite skills are not required (large number of BlackHat /
DefCon participants could do it)
 But it hasn’t happened so far!
 So, what should it?
 The important question : Can somebody make money with it?
– What is the Business model of a 'digital Armageddon'
 Awareness of this global weakness and existence of large
numbers of ‘single points of failure’ is (I think) very limited at C-
Level and Government executives
 Maybe the good guys should show that it can be done

40. 40
Solution?
 Visibility
– Understand the security implications
– Understand the Risk
– Understand the interconnections and interdependencies
– Disclosure of Known vulnerabilities (metrics)
 Reward and Accountability
– Business models that reward this visibility and the development of
‘secure’ applications
– Procurement pressure will work (but needs to be backup by law)
 Containment
– Execute code in Sandboxed run-time-environments where
exploitation of vulnerabilities (or of malicious code) are
• a) not possible or
• b) successfully contained
 Government, Laws, Privacy and Anonymity

41. 41
Security Public Relations Excuse Bingo
 Would be funny
if wasn’t true
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
From www.crypto.com/bingo/pr

42. 42
Thanks
 Any Questions?
 Fell free to contact me at: dinis.cruz@ouncelabs.com