Tag Archive 2017

Popular Media Coverage of Software and Formal Methods

Matt Konda No Comments

It is interesting … in the wake of Equifax and other recent news, The Atlantic has published several articles about software:

I say it is interesting because I am completely torn about both of them.  On the one hand, they are correct.  The Equifax Breach should not really be a surprise and the fact that there are coding errors in any system of significant size is something that most software developers or security professionals would accept without argument.

On the other hand, complacency or acceptance is the last thing that I would advocate for developers, consumers or companies after the Equifax breach.  I’ve already written about that here.

Furthermore, while formal methods present an interesting direction for software verification, in practice they are limited to very specific use cases.  I’ve never seen them employed professionally for any widely used application.  That doesn’t mean they aren’t or couldn’t be, but if I haven’t seen it – probably its not real or accessible for common developers yet.

An interesting side effect of these articles being in The Atlantic is that people who wouldn’t usually ask about these things are asking.  I’ve heard about each of these articles from numerous people at clients and partners.  I suppose that is a benefit of having the discussion – provided people have the attention span to continue the discussion.

The “Saving the World From Code” article also included a general quote which I think probably should have been attributed to Marc Andreesen in the Wall St. Journal in 2011:

It’s been said that software is “eating the world.”

The fact that it is not, makes me wonder just a bit about the context the article is written from.  One thing I can’t argue with is the substance of that quote, which again was from 2011.  I would perhaps add to it that software is flawed everywhere.  I just don’t buy that formal systems or rigorous modeling are a realistic near term solution for that.  Many of our clients are adopting new languages or technology – sometimes with more security issues – even as we work to secure their systems.  The idea of a 4GL language, which has been an idea for almost my whole professional career, where we can assemble a program in an increasingly sophisticated IDE with visual blocks like the hacking scene in the movie Swordfish seems unachievable in practice.  If anything, I prefer simpler text editors than ever before.

Ultimately, there is a lot that we can do to secure our systems.  Things like threat modeling to identify and then isolate scope, actively working on architecture, building common reliable blocks, teaching developers, building cultures that value security, using tools and smarts to think about scenarios, teaching practices that encourage security to be a first class part of the SDLC … all of these are real things people in the real world are doing to make software safer.  I doubt there is a silver bullet that somehow avoids the people understanding the problem – we have to accept that as a cost or accept the insecurity of the software we use.  I guess that’s why people hire us to help them secure their software.

Predictions Sure To Go Wrong for 2017

Matt Konda No Comments

I don’t have much time to listen to Sports Radio anymore, but I used to love to listen to Mike & Mike on ESPN Radio.  They had a segment called Predictions, Sure to Go Wrong which was clearly their way of having fun making predictions while making fun of themselves and admitting they really had a strong likelihood of being wrong.  In that spirit, I offer these predictions for 2017.

Easy Predictions

Ransomware will continue to explode and countermeasures will evolve.

Phishing and Social attacks will continue to be a common and easy attack vector.

Vendors will continue to sell “Security in a Box” ™ despite the fact that this hasn’t worked for years.  People will continue to buy “Security in a Box” ™ even though they know it doesn’t work well because they don’t have any other options.

Technical debt will continue to grow and realizations about the scope of technical debt will explode.

Security leaders will continue to be underfunded not only because of the asymmetric nature of security but also because they will fail to own up to planning for the wrong adversary for the last few years.  Even substantial increases in budget (eg. 25% increase) will be a pittance compared to what is needed.

Lots of household name companies will get hacked.  Security will continue to be visible in geopolitical sphere.

Harder Predictions

Cloud providers – both at the platform and the security level – will continue to innovate and be able to provide some of the best security solutions available.  Already providing identity, WAF, key management, logging and network controls, automated monitoring and platform level predictive algorithms will advance and become more accessible to common users.

Efforts to build warrantees will fail.  The idea of accountability for software vulnerabilities is well founded.  Its just that software development is so complicated that a clear line of responsibility seems almost impossible to establish.  In cases where it might be, software firms I know would never sign on because they con’t control each and every developer to a level where they can absorb the inevitable breach.

Industry Wide

There will be active growth and consolidation in events, communities and vendors.

There will be emerging certifications for developers around security.

There will be broad training for people to get into security.

Vision

Companies will see the need for engineering work specific to security.  Things like the following will be increasingly interesting:

  • Authentication service
  • Authorization service
  • Managing secrets
  • Security automation
  • Application level signal for logs
  • Frameworks for mobile infrastructure