Today's post comes from Ben Tomhave. Ben and others felt the Zalewski ZDNet piece was a bit of a "Blame or Frame Job" on our industry and was compelled to respond. Do you agree? You'll want to follow the links if you haven't already read them. Any post that starts with a Sin City reference is likely to be gritty.

by Ben Tomhave (@falconsview)

"I've been framed for murder and the cops are in on it. But the real enemy, the son of a bitch who killed the angel lying next to me, he's out there somewhere, out of sight, the big missing piece that'll give me the how and the why and a face and a name and a soul to send screaming into hell." ("Marv" in the movie Sin City)

I've read and reread (a couple times) the May 20th article "Security engineering: broken promises" by Michal Zalewski of Google (a guest post on ZDNet's "Zero Day" feature). I have to say, I find it highly disappointing and FUD-tastically frustrating. The bio at the end describes him as a "security researcher," which in my mind makes him a "breaker" more than a "fixer" (supported by the kinds of tools he's released). As such, we have to expect a degree of whining cynicism about how bad things are, but I would have at least hoped he'd have a little more clue before spreading FUD doom and gloom.

Framing Frameworks
"...for several decades, we have in essence completely failed to come up
with even the most rudimentary, usable frameworks for understanding and
assessing the security of modern software... The frustrating, jealously
guarded secret is that when it comes to actually enabling others to
develop secure systems, we deliver far less value than could be expected."

As a card-carrying member of OWASP, I find this statement to be ill-informed and suspicious. While it is true that we don't have mathematical models describing software security (to which he later alludes), it is completely false to say that we lack frameworks for understanding and assessing software security (which he never defines). There are lots of options to choose from, whether it be OpenSAMM, BSIMM/BSIMM2, or even the various efforts of groups like OWASP, ISECOM, or WASC. Let's also not forget efforts like Microsoft's SDL.

In terms of enabling others, this is not a security failure, it's a management and business failure. Many like to throw blame onto security teams for this situation, but everything ultimately comes down to the decision-makers and their needing to place proper emphasis on the need/requirement for writing secure code+apps.

Framing Risk Management
Now we get into some very FUD-erific territory...

"...[risk management] introduces a dangerous fallacy: that structured
inadequacy is almost as good as adequacy, and that underfunded security
efforts plus risk management are about as good as properly funded
security work."

and

"...security incidents are nearly certain, but out of thousands exposed
non-trivial resources, any resource could be used as an attack vector,
and none of them is likely to see a volume of events that would make
statistical analysis meaningful within the scope of the enterprise."

and

"...in information security, there is nothing contributed by healthy
assets to directly offset the impact of a compromise, and there is an
insufficient number of events to model their distribution with any
degree of certainty; plus, there is no way to reliably limit the maximum
per-incident loss incurred."

Wow, talk about cynical. First off, apparently risk management has no value. Second, risk management apparently detracts from security initiatives. Third, because there are potentially infinite threat vectors, the statistical analysis performed in risk assessment is pointless. All of this prattle belies a keen ignorance about risk management, and once again seems to suggest that software security failures are a result of something other than poor coding practices under the rule of security-disinterested business leaders.

More importantly, his risk management comments don't seem to have much of anything to do with risk management, but instead seem to be focused on risk assessment methods. He probably also thinks that qualitative risk assessment techniques are de rigueur. It never ceases to amaze me when criticism is launched from a place of ignorance.

Framing Unified Theories
As the piece progresses (or maybe it digresses), it seems that we finally start to see his true intentions as he talks about CWE and CVSS, saying: "Having said that, none of them yielded a grand theory of secure software yet - and I doubt such a framework is within sight." This comment finally reveals Zalewski's true intent or hope, and that is some sort of mystical silver bullet "grand theory of secure software." I thought this guy was a security researcher for the venerable GOOG? Anybody else's spidey sense tingling over the inanity of his comment here?

Of course, perhaps the biggest problem is Zalewski chafing at what is actually "good enough" from a software security perspective. Frameworks seem to be the preferred ideal du jour, but to what end, and with what backing? More importantly, to quote Amrit Williams:

"What we must learn to accept is that security – as it pertains to both
the development of software and its operational use – is ultimately more
survivable than we like to believe." (from "The Simple Elegance of Faith; When Good Enough Is")

Call me crazy, but it seems like Zalewski is framing infosec for the failing of business leaders, compounded by his own ignorance.

What do you think?

Also check out Jack Daniel's response ("A bit of deep thought.") as he links to several other replies as well.