The biggest thing affecting software security? People, apparently.

Hi all,

www.threatsandcountermeasures.com just closed their poll on what people
thought was the biggest thing affecting software security.  The results were:

People:     80.3%
Process:    18.2%
Technology:  1.5%

Results also available from www.threatsandcountermeasures.com/PastPolls.aspx.

If this is the case, then why is there such a huge financial investment in
security technology?  Is the human factor expected to magically improves once
we've got the "right" technology?

For our new poll, Threats and Countermeasures are asking what people
consider to be the more secure web application development platform; JSP,
PHP, ColdFusion, ASP.NET or old-skool CGI.

Best regards,
--
Nicholas John Murison
~~~~~~~~~~~~~~~~~~~~~
http://www.urgusabic.net

Nick Murison wrote:
No, but people are the hardest thing to patch. You can inform them, you
can work with them, you can even threaten them to follow good security
practices but someone always constitutes for the weakest link in the chain.

Steve

Imho, it is sometimes easier to use technology to 'cover up' and address
threats arsing from human mistakes and foibles via automation, rather than
try the 'educate and proceduralise everything' approaches. e.g.
- coding mistakes
- configuration mistakes
- lax patch management
- poor password choices
- opening/running malware
- exec/mamanegment directing poor environment security onto IT teams
- dis-affected employees and users/customers
- <insert your favourite security errors here>


Lyal

-----Original Message-----
From: Nick Murison [mailto:nick@...]
Sent: Thursday, 30 June 2005 1:09 AM
To: webappsec@...; sc-l@...;
secprog@...
Subject: The biggest thing affecting software security? People, apparently.


Hi all,

www.threatsandcountermeasures.com just closed their poll on what people
thought was the biggest thing affecting software security.  The results
were:

People:     80.3%
Process:    18.2%
Technology:  1.5%

Results also available from
www.threatsandcountermeasures.com/PastPolls.aspx.

If this is the case, then why is there such a huge financial investment in
security technology?  Is the human factor expected to magically improves
once we've got the "right" technology?

For our new poll, Threats and Countermeasures are asking what people
consider to be the more secure web application development platform; JSP,
PHP, ColdFusion, ASP.NET or old-skool CGI.

Best regards,
--
Nicholas John Murison
~~~~~~~~~~~~~~~~~~~~~
http://www.urgusabic.net

On Wednesday 29 June 2005 10:09, Nick Murison wrote:
Ignorance can be fixed.
Software can be fixed.
Stupid is forever...

--
Clinton E. Troutman

Nick,

First of all, notice the results are based on the opinions of 66
people, which hardly makes it a comprehensive survey.

Another thing, people and mistakes will always be there, but
technology improves to ensure people can make less mistakes and are
given less space and freedom to make such. Better technology provides
means for people to make less mistakes. It just seems less obvious
that it's the technology that is making the difference when it's
working properly. If the technology wasn't there people would make a
lot more mistakes while reinventing a less secure wheel.

Imagine a world with no commercial session management products. A
world dominated by home-grown session mechanisms. Oh, btw, that world
also does not have any cryptographic infrastructure. Wake up from the
nightmare, and realize technology *is* important, it is just easy to
overlook when it's there. It is the same as saying that people are the
biggest cause of road kills, indeed, they are. On the other hand,
imagine the same people driving bumpy roads with no traffic lights, no
stop signs, and no lane markings. It is easy to say "why are they
developing better roads and thinking of ways to improve, while people
are the largest factor". Because people *need* better infrastructures
and better technology to keep their mistakes in control.

Btw, technology is no good when not used properly, so yes, education
is very, very, very important.
That is why I strongly believe programmers should be educated for security.

Irene
-----------------------
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com


On 6/29/05, Nick Murison <nick@...> wrote:

Your final statement still focus's only on technology i.e. educate
programmers.
Yes I agree they can play a significant part in security applications
but in my experience
the common theme of making everything transparent for the users is utter
nonesene.
Ordinary users should be educated in security principles to assist in
understanding the value of data and how their actions could implicate an
exposure. Especially since we still need to setup users as power users
or admins in order to operate many third party apps.

Everyone receiving training appropriate for their role in informantion
management and security.

A balance for all responsible parties involved.

Cheers
paul powenski CISSP

-----Original Message-----
From: Irene Abezgauz [mailto:irene.abezgauz@...]
Sent: 30 June 2005 08:43
To: Nick Murison; webappsec@...; sc-l@...;
secprog@...
Subject: Re: The biggest thing affecting software security? People,
apparently.


Nick,

First of all, notice the results are based on the opinions of 66 people,
which hardly makes it a comprehensive survey.

Another thing, people and mistakes will always be there, but technology
improves to ensure people can make less mistakes and are given less
space and freedom to make such. Better technology provides means for
people to make less mistakes. It just seems less obvious that it's the
technology that is making the difference when it's working properly. If
the technology wasn't there people would make a lot more mistakes while
reinventing a less secure wheel.

Imagine a world with no commercial session management products. A world
dominated by home-grown session mechanisms. Oh, btw, that world also
does not have any cryptographic infrastructure. Wake up from the
nightmare, and realize technology *is* important, it is just easy to
overlook when it's there. It is the same as saying that people are the
biggest cause of road kills, indeed, they are. On the other hand,
imagine the same people driving bumpy roads with no traffic lights, no
stop signs, and no lane markings. It is easy to say "why are they
developing better roads and thinking of ways to improve, while people
are the largest factor". Because people *need* better infrastructures
and better technology to keep their mistakes in control.

Btw, technology is no good when not used properly, so yes, education is
very, very, very important. That is why I strongly believe programmers
should be educated for security.

Irene
-----------------------
Irene Abezgauz
Application Security Consultant
Hacktics Ltd.
Mobile: +972-54-6545405
Web: www.hacktics.com


On 6/29/05, Nick Murison <nick@...> wrote:
> Hi all,
>
> www.threatsandcountermeasures.com just closed their poll on what
> people thought was the biggest thing affecting software security.  The
NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or confidential information. If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail and attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email or attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd and its affiliate companies cannot guarantee that attachments are virus-free or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Thank you.

I wouldn't call 66 votes on your website Nick
(http://www.mail-archive.com/sc-l%40securecoding.org/msg00758.html), a
comprehensive tally. It would be interesting to get a larger audience
involved in this type of question though.

Regards,

- webappsec


On 6/29/05, Nick Murison <nick@...> wrote:

The reason there is such a hugh investment in technology is because we
can't rely on people for security.  No matter how much we try to
educate, the general populous disregard the significance of security.
In addition, trivial security implementation are met with trivial
exploits, something that will do the cracker just fine.

. . wrote:

On 6/30/05, PPowenski@... <PPowenski@...> wrote:
> Your final statement still focus's only on technology i.e. educate programmers.
> Yes I agree they can play a significant part in security applications
> but in my experience the common theme of making everything transparent
> for the users is utter nonesene.
>
> Ordinary users should be educated in security principles to assist in
> understanding the value of data and how their actions could implicate an
> exposure. Especially since we still need to setup users as power users
> or admins in order to operate many third party apps.

Ahh... But you see, with proper security education of programmers, you
wouldn't need to give end users "Power User" or "Administrator" access.
You would teach the programmers how to use the available security framework.

"The person is smart, people are dumb, stupid and panicky." - MIB

You train the ones that build the world, that the end user "lives" in,  about
staying within a secure framework.

--
END OF LINE
       -MCP

Technology is crucial in protecting people from their ignorance. Many people don't know exactly how car brakes work but they know how important they are and they know how to use them. If you had to remember to set the brake pressure before you actually applied the brakes, people wouldn't be using them effectively. If a system asks for a password and accepts "pass" or "bigboy", that's a technology failure. Developers should know better.

On the other hand, security can actually be anti-productive in some cases. Case in point is firewall/anti-virus software. My 2.8 ghz Athalon 64 with 2 gb of memory and ultra serial ata drives is slower than my 1979 Z80A 8 bit, 8 mhz, 64 kb, dual 768k floppy system. Why? Every operation that goes to the processor has to be authorized. Every file has to be scanned. Every setting change has to be authorized. And we're using dumb technologies that pay no attention to efficiency (like html and xml). We write bloated code and have no clue what actually ends up in machine code. ("We" includes "me".)

Contrast that with a unix system that doesn't have nearly as many holes. Works fine for somebody with an advanced degree but is useless for the average user.

I am constantly amazed at how ignorant coders and developers are. Some are still putting unencrypted passwords in text files and just naming the file something weird like 2ikeu2.ocx. It's like leaving your wallet in your shoe when you go for a swim. No one will think to look there;) We use advanced encryption like blowfish/twofish/aes then use a password based on our birthdate. My favorite password is the one from spaceballs: 1234567. Face it. "Reverse engineers" are smarter, more educated, and more creative than most of us developers.

For every lock, there's a lock picker. Technology can only take us so far. People have to decide whether to put everything including the "plastic spoons and paper cups" under lock and key. The conclusion that I have come to is the biggest problem is (are) *both*. People have to make informed decisions and technology needs to help them in the best way possible. It is our job as coders & developers to understand security and make it easier for the average person to use. In the process, we can educate the user as well.