Whos Inspecting the Code?
Lipner: Peter previously quoted Eric Raymond, saying, In many eyes, all bugs are shallow, but the real issue is, are many eyes looking? … You still get these buffer overruns detected in public open source libraries that have been available for inspection and download and modification basically forever. Thats not to say that code inspection doesnt work, but I think what its saying is that, with open source, everybody is relying on somebody else to do the code inspection. We get code inspection done by people paid to do that, and thats a model thats pretty understandable.
Coffee: Let me bring eWEEK Labs Technical Director Jim Rapoza into the conversation at this point. Jim, is security something that will emerge out of the community process that surrounds open source, or is it preferable to buy it from someone and insure against whatever flaws there might have been in that purchased product?
Rapoza: If you look at Apache, that has an excellent security history. I think part of it is how much a product is used. Apache has had bugs in the past, and the open source method has done a very good job of locking it down and securing it. Sure, you can pull out things like BIND and stuff that seem to consistently have problems. Its nice to get that nice, clean patch from a vendor that you know has undergone a lot of regression testing, but theres probably still a relatively high percentage of times that you install that nice patch from a vendor and it causes problems, and you have to revert to an earlier patch or you have to reinstall.
Coffee: One of the things that weve seen in the community of those who sell security is an evolving relationship between with the sellers of business interruption and business continuity insurance, where, in effect, the use of technology becomes part of the best practices that they want to see as a condition of writing an insurance policy against interruption of the business by means of an Internet attack, for example. Steve Trilling, do you think that thats a virtuous cycle that we have emerging here, where the security technology and the people who insure against the residual risk work with each other to help improve the overall risk balance?
Trilling: Thats a little bit of a hard question to answer. Certainly, we think that the security policy inside any organization should be guided by security experts, and not necessarily just by insurers or by legislation, but by people with a lot of experience at securing particular organizations. At the same time, I think there is awareness that, for critical organizations across the world, there needs to be some basic security standards. When we put our money in a bank, we want to know that that bank is securing itself appropriately, so the federal government has raised a lot of issues and has certain laws now regulating financial and banking and health care and other critical industries. Certainly anything that raises the consciousness of security inside corporate environments is a good thing. However, at the same time we want to be careful and make sure that security policy decisions at organizations are generally guided by security experts and security companies, such as Symantec and others.
Coffee: With all of the aspects of security that are quite specific to a particular installation of a product, or installation of a combination of products and so on, do you think we can ever get to the equivalent of an Underwriters Laboratory certification that says, yes, this is a secure product or, no, this is not?
Davidson: We have that--formal security evaluations. Its not just that theyre international standards. The common criterion is an ISO standard, and certainly it is being required. The US federal government, through NSTISSP 11—the National Security Telecommunications Information System Security Policy No. 11cq--says that systems involved in national security have to have independent measures of assurance.
Coffee: Yes, but can that certification have the same meaning to the buyer that theyre accustomed to seeing when, for example, they see a UL label on a piece of electrical equipment?
Davidson: Getting at a major issue that I dont think has been raised, and I certainly dont want to be in a blame-the-victim mode, is one of the general problems that youve had to date: Customers do not make security a purchasing criterion. Its sort of like, "I buy the product because it has all the bells and whistles," and then they try to see whether its secure or not, or they want it bolted on. And, just as you have to build security into your entire process, you have to make security a part of your purchasing criterion, and you do that in a number of ways. One of the ways you can do that is to look for the seal of approval. Look for an independent evaluation of FIF-140, if its a cryptographic product, a common criteria evaluation. You can also look at the vendors track record in terms of how many security patches theyre issuing. Do they have a long history of maybe not paying attention to security, and are they responsible when they do have to patch things? There are a whole lot of things that you can go through.
Lipner: My iron is a lot simpler an artifact than my laptop computer with the software loaded on it, and there are a lot more ways to use the laptop and misuse it than there are the iron or the toaster. Some of that is incumbent on the user, and some of its incumbent on us to make the default secure and make the installation secure and disable the services that people arent likely to need and so on. But there is still a residual element thats going to be left to the user, and thats going to probably be bigger than with an iron or a toaster.
Coffee: Ed, when people come to you at Sun to buy a server farm thats going to be the foundation of an e-business, do they ask questions that make you guys believe that they are thinking in terms of security as being a differentiator in the choices they make?
Glover: Absolutely. Security is something that is pretty much a question, whether its buying server farms or even any kind of services that we have today. Remember, Im from a professional services standpoint; Im not a product person. When I work with our customers out there, they are expecting security to be inherent in the technology and in the implementation integration, and a lot of times we try to also work with our customers to understand that security and products is just one part of it. Its also the people and process, which is very important, too. Its got to be all three of those together to allow you to achieve the level of security that you want to achieve, given the amount of risks youre willing to accept.
Trilling: If I could make an analogy to reinforce the point that everyone is making, if an organization bought a big physical alarm system for a plant, it wouldnt do them any good unless they had a proper policy in place—who knows the alarm code, who knows how to turn it off and turn it on, and when it goes off, whom do you call? All of those things would be critical in the success of securing any physical environment, and the same kinds of policies apply to securing a cyber environment.
At the same time, organizations would certainly like security to happen by default as much as possible, and one of the things weve tried to do is make it easier and easier for people to get updates. For example, in our consumer antivirus product now, it will check whenever youre online for all of the updates that had been posted at our Web site since the last time you were online, and so users will get them automatically without having to push any buttons. Nevertheless, there is always going to be a crucial human factor in securing any kind of environment, whether its a home or a building or a set of hard drives or a lot of servers.
Glover: Id like to add to that. Ive been in the security business for a long time, and I echo that on the human factor piece, because over the last 20 years, I constantly see the same things over and over again. Were dealing with the same issues. Sure, products are addressing more of the security, and were building more security into it, and people are aware of it. But, as a consultant, I constantly see the same things over again, and it starts with the lack of policies and the lack of understanding of what security needs to be built in. Its always the same story over and over again, so its really a people issue.