If you ask security guru Bruce Schneier, the IT security industry was born by accident, ignored all its life, and is now dying. That’s a fair summary, anyway, based on the link he sent to a late 2007 op-ed he wrote for IEEE Security & Privacy, “The Death of the Security Industry.”
Declining to be interviewed due to his travel schedule, Schneier did point to his prediction that security would be mainstreamed into IT vendor portfolios. “IT security is critical, but there’s no earthly reason why users need to know what an intrusion-detection system with stateful protocol analysis is, or why it’s helpful in spotting SQL injection attacks. As IT fades into the background and becomes just another utility, users will simply expect it to work. The details of how it works won’t matter,” he said.
On the frozen tundra of recessionary IT spending, the only green to be seen last year came from the security market, which both grew revenues and became ripe for acquisitions.
Among the mature tools with inviting price tags: Watchfire and Ounce Labs, makers of a Web application security analysis tool and a static analysis tool, respectively, were bought by IBM in 2007 and 2009. SPI Dynamics (Web app analysis), Fortify (static analysis) and the just-announced ArcSight (monitoring) are all Hewlett-Packard purchases.
McAfee’s portfolio, ranging from antivirus to mobile device protection, was just snapped up by Intel, which cited security as the third pillar (along with energy efficiency and connectivity) in today’s computing experience.
“Vendors are trying to take security more mainstream—that is, bake it into most things they do,” said Michael Coté, an industry analyst with RedMonk. “There’s always the tension of Microsoft finally doing rock-solid virus scanning for free in Windows, instead of letting the market for Intel/McAfee, Symantec, CA Technologies and others exist. But they seem to be avoiding that.”
Sized at a Gartner-projected US$4.2 billion, the consumer market for security technology dwarfs the market for developer-focused security tools, though the unveiling of a secure operating system for the world’s PCs would certainly mean death for Norton AntiVirus and sub-zero temperatures in Hades. But Redmond’s efforts over the past few years to assuage fears about identity theft and e-commerce scams did prime the pump for other security market niches.
“The Microsoft Trusted Computing initiative was all about what happens at the end point, which is where Microsoft does most of its business,” said Forrester principal analyst Chenxi Wang. “It talks nothing about what’s happening in the cloud or in the network. That part is clearly missing from the Trusted Computing initiative. This string of acquisitions points to IT security becoming a core business process, not just technology function that sits on the side. Broad IT security strategy will be part of a platform play for companies.”
The firewall isn’t the end-all
In the history of computer science, injecting security awareness into the application development life cycle has yet to gain traction. Could the new dangers bombarding software change that? Approximately 80% of successful attacks last year were at the application level, according to the U.S. government’s Computer Emergency Readiness Team. Securing networks and perimeters are crucial activities to be sure, but developers can’t continue to ignore the perils of poor design.
Wang points to the January 2010 Aurora attack on Google, which exploited a flaw in Microsoft Internet Explorer, as a watershed event in the application-level security market. As a result, Google launched a security lab, she said. And the threat is ongoing: A new, as-yet unpatched zero-day vulnerability in Adobe PDF Reader and Acrobat software is being exploited in what was reported on Sept. 13 as possibly a continuation of the Aurora attacks.
“The stakes are a lot higher than they were a few years ago when we were dealing with script kiddies and hackers,” said Wang. “These days we’re seeing the threats moving to low and slow, steady attacks aiming at obtaining your crown jewels: Your core IP or your competitive secrets.”
And the little things add up, according to Bola Rotibi, a UK-based research director of Creative Intellect Consulting. “There was a big study back in 2009 that showed the top 25 security errors on websites,” she said. “They were costing the industry a billion dollars, but they could be easily identified with static analysis tools. People are now recognizing how much this is costing them.”
Cloud computing, too, portends new challenges and uncertainties. With software-as-a-service, browser-to-server communication “inevitably leaks out the program’s internal states to those eavesdropping on its Web traffic, simply through the side-channel features of the communication such as packet length and timing, even if the traffic is entirely encrypted,” wrote XiaoFeng Wang, director of the Center for Security Informatics at Indiana University, in an abstract describing Sidebuster, a tool for detecting side-channel vulnerabilities.
Despite these sea changes, many developers still focus on colorful features, unaware of the impending security tsunami. Gartner analyst Joseph Feiman describes the surprising result when he and his colleagues asked attendees at security summits around the world to choose the most realistic of four security scenarios for the future, ranging from whether white hats will prevail over black hats to whether the entire profession will be absorbed into other IT disciplines (as Schneier posits).
“The first quadrant was software engineering: Very effective security becomes an integral part of software. That wasn’t very popular. Next was chaos: The profession and infrastructure fail. Hackers, criminals and terrorists take over the normal guys and shut down Web commerce. Number three was a perpetual arms race. And fourth was security nirvana: We succeed extremely well, and enemies yield to our expertise,” Feiman explained.
The result? Among European and Australian audiences, the most likely scenario was the perpetual arms race. Among Americans, however, it was security nirvana.
“We were amazed. This is after 9/11, etc.,” Feiman said. After a discussion period, the U.S. audience did change its vote to perpetual arms race, but the initial result says something either about American optimism or its faith in technology—or both.
Regardless, the optimism is misguided, Feiman wrote in his May 2009 report on the meetings, entitled “Security in 2013 and Beyond.” “Software Engineering has not succeeded over the last 50 years (since the inception of industrial computing) in ensuring the delivery of high-quality applications. There is no reason to believe that it will succeed in delivering high-security applications over the next five years,” he wrote.
The tools are out there
Inside the development shop, it’s going to take more than just a few Coverity licenses or some FindBugs freeware to enforce code-level security. First, there’s overcoming the aforementioned head-in-the-sand syndrome. Second, understanding that code reuse and third-party widgets make it impossible to know exactly what vulnerabilities exist either in the source code or in the combined interactions of all the moving parts. Third, secure design must become a part of the design process, not a bolt-on or a deployment test.
The Open Web Application Security Project, for example, has a snazzy idea for introducing security-focused code reviews into an agile development team’s process: Evil user stories. You “hack” the product backlog by adding stories that describe malicious scenarios, such as, “As a hacker, I can send bad data in the content of requests, so I can access data and functions for which I’m not authorized.” Further, a host of common Web security scenarios must be considered in every development iteration.
Most everyone seems to agree that security is one area that, unlike agile development, benefits from a top-down mandate. Security awareness training and just-in-time IDE aids or build scripts can help code stay cleaner, according to Forrester’s Chenxi Wang. Along those lines, she said that more and more secure design concepts are finding their way into technology itself.
“I think there’s some interesting work that is happening if you look at the progression of IDEs or frameworks,” she said. “More and more memory safety techniques are being built into the language itself. Some security controls are migrating into development environments. Some could be built into the compilers. Certain security controls can be built into the silicon. We see it happening a little bit, but I don’t think it’s happening enough. I think we need to move more of the controls out of developer hands so they don’t make mistakes.”
Could Enterprise Security Intelligence emerge?
Feiman said that his company’s reports since 2006 have advised platform players to snap up security ISVs, and that their purchasing predictions have been spot-on when it comes to IBM and HP. Now the companies are integrating those tools, using static and dynamic analysis in tandem, for example, to triangulate on weaknesses. “If you bring Fortify and WebInspect together, the discovery of a vulnerability by one technology will be either disproved or confirmed by the other,” he said.
But even that improvement is no end game. “The concept that will bring it all together is what I call Enterprise Security Intelligence, or ESI,” he said.
Security is only going to get more overwhelming, Feiman says. By merging the existing silos around protecting networks, applications and data, enterprises can move from a coverage-based approach to a query-based one.
“The traditional security model, in which vendors sell—and enterprises buy—scanner runs or monitor time, will become ineffective and obsolete. Security intelligence will evolve into an explicit product or service with an explicit pricing model. Vendors can sell, and enterprises can buy, queries—specific answers to specific questions,” wrote Feiman in a June 2010 report on ESI.
Rotibi and others concur. “The story around security is going to change. It’s not saying that we don’t have tools. It’s asking how all of these are going to be integrated into a strategy,” said Rotibi. But even with focused security intelligence and better application-level design, doesn’t that increased level of attention—no matter how integrated the tool set may be—imply that security professionals, like police, prison guards and surgeons, still have to do the dirty work when prophylactic measures fail?
Whatever the answer, one thing is clear: The IT security industry isn’t dead quite yet.
Security never gets old
In “The Protection of Information in Computer Systems” (Proceedings of the IEEE, September 1975), Jerome Saltzer and Michael Schroeder enumerate eight fail-safe security design principles. I reported them in an April 2000 article in Software Development entitled “Intrusion Detection.” They bear repeating:
1. Least privilege: Relinquish access when it’s not required.
2. Fail-safe defaults: When the power goes off, the lock should be closed.
3. Economy of mechanism: Keep things as small and simple as possible.
4. Complete mediation: Check every access to every object.
5. Open design: Don’t attempt “security by obscurity.” Assume the adversary can find your hiding places.
6. Separation of principle: Don’t make privileged decisions based only on a single criterion. Use the onion-skin model.
7. Least common mechanism: Minimize shared channels.
8. Psychological acceptability: Make security painless, transparent and ubiquitous.