Chasing the compliance dragon is holding back security tooling

Developers have everything they need to create the security-based systems of their dreams, but they're too busy chasing compliance regimes that distract them from breaches, according to Sourcefire founder Martin Roesch.
Written by Michael Lee, Contributor

Despite providing a starting point for security-minded developers to build the ultimate intrusion prevention and/or detection systems (IDS/IPS), it simply doesn't happen, because they're all too busy, according to Sourcefire founder and creator of Snort, Martin Roesch.

In 1998, Roesch developed Snort, a lightweight IDS/IPS, and released it into the public domain under a GNU General Public License. However, despite its open-source nature and the ability for anyone to roll their own IDS/IPS as an alternative to the many expensive products on the market, Roesch said that not many people are actually taking full advantage of it.

"You would think, as it's an open-source project, anybody can contribute to it any time they want or do their own things with it, and they can, but it's surprising how few people do," he told ZDNet in an interview.

"You see this with a lot of projects; 99 percent of the users never contribute anything, and then you've got 1 percent who are kind of in communication with the developers, and then some small percentage of them are actually cranking code or generating patches or making documentation."

But Roesch admitted that writing good code, especially for an IDS/IPS, is a challenging task, and not for the faint hearted.

"You're writing low-level C code on a real-time platform. It's very performance sensitive, and it's also going to be under constant attack. You have to code defensively," he said.

"Not too many people [contribute] because the guys who are good enough to do it are usually too busy with other stuff, and the other guys who are dabbling, they're not creating code that's necessarily ready for prime time."

With the skills requirement so high, this has meant that there is a shortage in the already narrow field of information security. However, Roesch said that the shortage isn't necessarily at the developer level, but at the implementer and security operations level. He said that the industry needs knowledgeable, experienced people who use tools like Snort, and are also protecting their networks effectively.

In addition to these people being stretched for time, he said that the current focus on compliance and regulation means that the real security issues aren't being addressed.

"We see over and over again how people are beholden to compliance regimes, and things like that that don't necessarily make your network more secure."

Roesch said that instead, these regimes, which are often completed and then forgotten about, can be a "huge distraction from actually making your network secure" and even result in compromises.

"People run these treadmills trying to run down all the paperwork and get all the audit results in that they don't notice."

To address the challenge of finding people to contribute to defending networks, he said that the industry needs to change its mindset and even "romanticise" the role of the defender to some extent.

"Notable figures in the industry are starting to talk about this idea of making defence sexy, or at least telling people, 'hey, it's all well and good that you can reverse engineer software, but what we really need help with is coming up with new models of keeping bad guys out of networks, or having more effective defences, or just being a more effective defender.' Those are the things that society really needs today.

"Given the stakes these days, I would say that [defence] needs to be treated more seriously, and I know that it's treated seriously in a lot of places, but I think that it could be done a lot better, because if people were well and truly dedicating themselves to it, we would see better results than we see today. What we see is comprehensive compromises of large networking environments and IP being stolen wholesale and things like that. It's really pretty bad."

Editorial standards