The various threats out there such as viruses, worms, Trojans and the different methods of attacking or gaining unauthorized access to a network or computer almost all have one thing in common though- sloppy or insecure programming.
If it weren't for vulnerable software there might not be a need for many of the other security technologies we use. Antivirus software, firewalls, intrusion detection, etc. are all primarily reactive technologies designed as a "bandaid" solution to protect your computers from being victimized by flaws in software programming.
Gary McGraw, the CTO (Chief Technology Officer) of Cigital and co-author of the book Exploiting Software, has written over sixty peer-reviewed technical publications and functions as principal investigator on grants from Air Force Research Labs, DARPA, National Science Foundation, and NIST's Advanced Technology Program. He serves on Advisory Boards of Authentica, Counterpane, Fortify Software, and Indigo Security as well as advising the CS Department at UC Davis. Dr. McGraw holds a dual PhD in Cognitive Science and Computer Science from Indiana University and a BA in Philosophy from UVa. He regularly contributes to popular trade publications and is often quoted in national press articles.
I got to steal a little time from Mr.McGraw to talk about some of the issues facing computer and network security today and the impact of software design on this problem:
TB (Tony Bradley): Corporations spend large sums of money and a good portion of their budgets each year to provide network and computer security, but home users remain largely unaware of security issues or technology. Does it seem to you that there is a lack of focus on securing home users?
GM (Gary McGraw): Home users can directly benefit from security products developed and first used by corporations. One great example is anti-virus software, which many home users now deploy. This kind of product was developed initially for corporate LANs. Though server-based firewalls have not been adopted as widely by home users, there are now personal firewalls that are definitely recommended. The explosion of worms and viruses (especially those that propagate through e-mail) has necessitated the use of these products for everyone. In final analysis, home users seem to benefit from corporate security mechanisms.
And yet the overall computer security problem is growing instead of shrinking. The problem is that security vendors are not working on the right problem! Instead of investing more activity in making reactive security technologies like firewalls and intrusion detection systems, what we need to do as an industry is determine how to build more secure software and attack the problem proactively. Security has been in the hands of the operations people for too long, it is time for the builders to get involved.
The fact is, most computer security attacks involve software exploit. We wrote Exploiting Software to make this clear. Once we take the lessons found in Building Secure Software (another book I wrote) to heart, both corporations and home users will find themselves in a better security situation.
TB (Tony Bradley): Many worms and viruses only work because they exploit a vulnerability or flaw in an underlying software program- do you feel that flawed code is one of the biggest problems facing computer and network security today?
GM (Gary McGraw): Absolutely! Broken software, insecure software, and software exploit are the most pressing concern in computer security today. Every worm, every virus, and every hack attack involves exploiting software.
In order to understand what we’re up against, it is important not to bury our heads in the sand and pretend the problem does not exist. Instead we need to understand and study the problem deeply…maybe even creating a science of software attack so that we can better defend our systems.
The problem will continue to grow because of what we call the Trinity of Trouble: 1) The Net: all code is on the Internet today, exposing it to attacks from all over; 2) Complexity: software is more complex than ever, we make more of it, and it is highly distributed; and 3) Extensibility: modern software (based on .Net and EJB) is designed to be extensible on the fly, so anticipating all possible extensions and their impact on security posture is difficult at best. We have our work cut out for us.
One of the great ironies of software security is that most of the people attacking our systems are software people; while most of the people defending our systems are not. This is not good! We need more software people involved in defensive aspects of computer security.
