Guest editorial by Amrit WilliamsSecurity Engineering: Broken Promises”. The article lays out a series of issues with the security industry, specifically looking at an inability to provide any suitable frameworks for software assurance or code security.
We have in essence completely failed to come up with even the most rudimentary, usable frameworks for understanding and assessing the security of modern software; and spare for several brilliant treatises and limited-scale experiments, we do not even have any real-world success stories to share. The focus is almost exclusively on reactive, secondary security measures: vulnerability management, malware and attack detection, sandboxing, and so forth; and perhaps on selectively pointing out flaws in somebody else’s code. The frustrating, jealously guarded secret is that when it comes to actually enabling others to develop secure systems, we deliver far less value than could be expected.
And even when software, riddled as it may be with vulnerabilities and exposures, fails to lead to exploit due to the actions of those operational security professionals that have implemented the people, processes, and controls to limit, negate or completely survive an incident we look the other way. We don’t talk about these, we don’t know how, as Michal further explains.
In the end, regardless of the number of elegant, competing models introduced, all attempts to understand and evaluate the security of real-world software using algorithmic foundations seem to be bound to fail. This leaves developers and security experts with no method to make authoritative statements about the quality of produced code. So, what are we left with?
We are left with the pursuit of the unattainable. We are left to grapple with inelegant imperfection. We are left incomplete since we cannot measure the immeasurable which leads one to believe that what we cannot measure is terribly flawed. What we must learn to accept is that security – as it pertains to both the development of software and its operational use – is ultimately more survivable than we like to believe.
We must also learn to accept that an inability to measure or even understand something doesn’t mean it isn’t. As Nietzsche stated:
"The irrationality of a thing is no argument against its existence, rather a condition of it."
We are blessed with an awesome number of highly qualified, extremely intelligent and talented individuals moving in the right direction. It is not easy, nor will improvements happen quickly and radically. We can have faith though that incremental improvements in all aspects of the operational value chain will evolve security postures to the point they need to be at any given moment in time.