There is a lot of USA firm coding done outside our shores. Thus the attitude you are reporting impacts the software I am buying both for my desktop as well as the upcoming cloud applications.
This is the part that concerns me. As a consumer of code when it's in my possession I am then able to do what I can to augment the security of it. When it's in the cloud, I'm depending on the vendor of the cloud to have thought about security . We need to get to the place where you can come back in a few years and say that the culture has changed. IMHO don't apologize. It shows that we still need to get consumers/buyers of code to care that Developers are taught to care. We have work to do. Stephen Craig Evans wrote: > Hi Gunnar, > > I apologize to everybody if I have come across as being harsh. > > >From my 8 years of experience of living in Asia and being actively > involved as a developer and working with developers (at Microsoft as > its first .NET Regional Developer Evangelist in 2001 to recently at > Symantec as the first Secure Application Services consultant for > APAC), IMO there's a big gap between the maturity of software security > here vs. Europe vs. West Coast USA vs. East Coast USA. > > The culture is different and even in the situation that a software > developer cared and wanted to implement software security, in many > countries they could get in a lot of trouble for upstaging their boss > and making him or her "lose face". > > The responsibility of secure software is not at the developer level in > most cases, which is why I've spoken at regional IASA events > (www.iasahome.org), with overwhelming positive responses, and will > continue to try to reach the decision makers (as an OWASP > representative) because trying to engage developers directly at this > point in time at the maturity level of software security in APAC is > not the most effective way to go about it. I'm sure, though, that at > financial institutions they get it, but almost all of my clients are > government and media/communications companies. > > Also, sorry to everybody for taking this thread off-topic. > > Stephen > > On Wed, Nov 26, 2008 at 2:24 AM, Gunnar Peterson <[EMAIL PROTECTED]> wrote: > >> stephen >> >> i spend at least half my time working directly with developers. >> >> for some reason i have not communicated as well as i should to you, what i >> am saying is that the job is too hard for developers *because* the security >> industry has let them down by sending them on a fool's errand of least >> privilege. >> >> the problem or target in your words IS with security people NOT developers. >> they have other problems just not an endless quixotic quest for least >> privilege. i am not repeat not throwing developers under the bus in this >> argument. >> >> i am ready, willing and possibly able to be proven wrong on this point and >> maybe there is a cost effective way to deploy least privilege in the real >> world just want to make sure that i communicate my argument. >> >> -gunnar >> (who is now letting go) >> >> On Nov 25, 2008, at 12:07 PM, Stephen Craig Evans wrote: >> >> >>> I can't let this go. >>> >>> Gary, you are self-professed working with financial institutions and >>> high-end customers. >>> >>> Gunnar, you are the same, at least what I gather from your Silver >>> Bullet podcast when talking about the difference between SOA (top >>> down) and Web 2.0 (bottom up). >>> >>> No flame war intended, but a healthy discussion should be in order. >>> >>> So please don't talk about "developers" as targets. They/we are the >>> lowest on the totem pole. Direct your arrows at the people that you >>> deal with. Plain and simple. >>> >>> Cheers, >>> Stephen >>> >>> On Wed, Nov 26, 2008 at 1:48 AM, Gunnar Peterson <[EMAIL PROTECTED]> >>> wrote: >>> >>>> look, i am a consultant. i work in lots of different companies. lots of >>>> different projects. i don't see these distinctions in black and white. >>>> sometimes the cto and managers are best positioned to help companies >>>> develop >>>> more secure software, sometimes architects, sometimes auditors, and many >>>> many times in my experience developers are best positioned. >>>> >>>> but i really, truly do not care who does it. my only goal is more >>>> effective >>>> security mechanisms and some pragmatic roadmap to get there. we are in >>>> the >>>> infancy of this industry (think automotive safety circa 1942, all seat >>>> belts >>>> and brakes), we are in no position to turn away help from anyone who can >>>> help. every company and every project is different, if your organization >>>> is >>>> set up so that developers are not empowered, but managers and CTOs are >>>> then >>>> by all means work with them. >>>> >>>> but actually the main point of my post and the one i would like to hear >>>> people's thoughts on - is to say that attempting to apply principle of >>>> least >>>> privilege in the real world often leads to drilling dry wells. i am not >>>> blaming any group in particular i am saying i think it is in the "too >>>> hard" >>>> pile for now and we as software security people should not be advocating >>>> for >>>> it until or unless we can find cost effective ways to implement it. >>>> >>>> -gunnar >>>> >>>> On Nov 25, 2008, at 11:28 AM, Stephen Craig Evans wrote: >>>> >>>> >>>>> It's a real cop-out for you guys, as titans in the industry, to go >>>>> after developers. I'm disappointed in both of you. And Gary, you said >>>>> "One of the main challenges is that developers have a hard time >>>>> thinking about the principle of least privilege ". >>>>> >>>>> Developers are NEVER asked to think about the principle of least >>>>> privilege. Or your world of software security must be very very very >>>>> different from mine (and I think my world at least equals yours but >>>>> by about 2 billion people more, which might be irrelevant now but a >>>>> little more relevant in the future :-) >>>>> >>>>> With the greatest, deepest respect to both of you, >>>>> Stephen >>>>> >>>>> On Wed, Nov 26, 2008 at 1:01 AM, Stephen Craig Evans >>>>> <[EMAIL PROTECTED]> wrote: >>>>> >>>>>> Gunnar, >>>>>> >>>>>> Developers have no power. You should be talking to the decision makers. >>>>>> >>>>>> As an example, to instill the importance of software security, I talk >>>>>> to decision makers: project managers, architects, CTOs (admittedly, >>>>>> this is a blurred line - lots of folks call themselves architects). If >>>>>> I go to talk about software security to developers, I know from >>>>>> experience that I am probably wasting my time. Even if they do care, >>>>>> they have no effect overall. >>>>>> >>>>>> Your target and blame is wrong; that's all that I am saying. >>>>>> >>>>>> Stephen >>>>>> >>>>>> On Wed, Nov 26, 2008 at 12:48 AM, Gunnar Peterson >>>>>> <[EMAIL PROTECTED]> wrote: >>>>>> >>>>>>> Sorry I didn't realize "developers" is an offensive ivory tower in >>>>>>> other >>>>>>> parts of the world, in my world its a compliment. >>>>>>> >>>>>>> -gunnar >>>>>>> >>>>>>> On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote: >>>>>>> >>>>>>> >>>>>>>> HI, >>>>>>>> >>>>>>>> "maybe the problem with least privilege is that it requires that >>>>>>>> developers:..." >>>>>>>> >>>>>>>> IMHO, your US/UK ivory towers don't exist in other parts of the >>>>>>>> world. >>>>>>>> Developers have no say in what they do. Nor, do they care about >>>>>>>> software security and why should they care? >>>>>>>> >>>>>>>> So, at least, change your nomenclature and not say "developers". It >>>>>>>> offends me because you are putting the onus of knowing about software >>>>>>>> security on the wrong people. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Stephen >>>>>>>> >>>>>>>> On Tue, Nov 25, 2008 at 10:18 PM, Gunnar Peterson >>>>>>>> <[EMAIL PROTECTED]> wrote: >>>>>>>> >>>>>>>>> maybe the problem with least privilege is that it requires that >>>>>>>>> developers: >>>>>>>>> >>>>>>>>> 1. define the entire universe of subjects and objects >>>>>>>>> 2. define all possible access rights >>>>>>>>> 3. define all possible relationships >>>>>>>>> 4. apply all settings >>>>>>>>> 5. figure out how to keep 1-4 in synch all the time >>>>>>>>> >>>>>>>>> do all of this before you start writing code and oh and there are >>>>>>>>> basically no tools that smooth the adoption of the above. >>>>>>>>> >>>>>>>>> i don't think us software security people are helping anybody out in >>>>>>>>> 2008 by doing ritual incantations of a paper from the mid 70s that >>>>>>>>> may >>>>>>>>> or may not apply to modern computing and anyhow is riddled with >>>>>>>>> ideas >>>>>>>>> that have never been implemented in any large scale systems >>>>>>>>> >>>>>>>>> compare these two statements >>>>>>>>> >>>>>>>>> Statement 1. Saltzer and Schroeder: >>>>>>>>> "f) Least privilege: Every program and every user of the system >>>>>>>>> should >>>>>>>>> operate using the least set of privileges necessary to complete the >>>>>>>>> job. Primarily, this principle limits the damage that can result >>>>>>>>> from >>>>>>>>> an accident or error. It also reduces the number of potential >>>>>>>>> interactions among privileged programs to the minimum for correct >>>>>>>>> operation, so that unintentional, unwanted, or improper uses of >>>>>>>>> privilege are less likely to occur. Thus, if a question arises >>>>>>>>> related >>>>>>>>> to misuse of a privilege, the number of programs that must be >>>>>>>>> audited >>>>>>>>> is minimized. Put another way, if a mechanism can provide >>>>>>>>> "firewalls," >>>>>>>>> the principle of least privilege provides a rationale for where to >>>>>>>>> install the firewalls. The military security rule of "need-to-know" >>>>>>>>> is >>>>>>>>> an example of this principle." >>>>>>>>> >>>>>>>>> Statement 2. David Gelernter's Manifesto: >>>>>>>>> "28. Metaphors have a profound effect on computing: the file-cabinet >>>>>>>>> metaphor traps us in a "passive" instead of "active" view of >>>>>>>>> information management that is fundamentally wrong for computers. >>>>>>>>> >>>>>>>>> 29. The rigid file and directory system you are stuck with on your >>>>>>>>> Mac >>>>>>>>> or PC was designed by programmers for programmers — and is still a >>>>>>>>> good system for programmers. It is no good for non-programmers. It >>>>>>>>> never was, and was never intended to be. >>>>>>>>> >>>>>>>>> 30. If you have three pet dogs, give them names. If you have 10,000 >>>>>>>>> head of cattle, don't bother. Nowadays the idea of giving a name to >>>>>>>>> every file on your computer is ridiculous." >>>>>>>>> >>>>>>>>> Conclusion(gp): Least Privilege is the point where the practical >>>>>>>>> matter of applying Saltzer and Schroeder's principles breaks down in >>>>>>>>> modern systems. Its a deployment issue, and a matter of insufficient >>>>>>>>> models and modes. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html >>>>>>>>> >>>>>>>>> Remember the 1990s when there were all these search engines that >>>>>>>>> required you tag up all the content and put it in hierarchical >>>>>>>>> directories and so on? Well what happened? Google came along and ate >>>>>>>>> their lunch. When the problem is information overload, telling >>>>>>>>> everyone to go out and label everything is not gonna work. >>>>>>>>> >>>>>>>>> -gunnar >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Nov 24, 2008, at 4:34 PM, Gary McGraw wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>>> Sadly this non-adoption of privileged/managed code (filled with >>>>>>>>>> blank stares) has been the case ever since the Java security days a >>>>>>>>>> decade ago. One of the main challenges is that developers have a >>>>>>>>>> hard time thinking about the principle of least privilege and its >>>>>>>>>> implications regarding the capabilities they should request. Dinis >>>>>>>>>> is brave to set such thinking as a target. I've settled (after ten >>>>>>>>>> years) with getting developers just to utter the word "security." >>>>>>>>>> >>>>>>>>>> All together now..."security". >>>>>>>>>> >>>>>>>>>> gem >>>>>>>>>> >>>>>>>>>> company www.cigital.com >>>>>>>>>> podcast www.cigital.com/silverbullet >>>>>>>>>> blog www.cigital.com/justiceleague >>>>>>>>>> book www.swsec.com >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 11/24/08 12:31 PM, "Mike Lyman" <[EMAIL PROTECTED]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Dinis Cruz wrote: >>>>>>>>>> >>>>>>>>>>> Don't get me wrong, this is a great document if one is interested >>>>>>>>>>> in >>>>>>>>>>> writing applications that use CAS (Code Access Security), I would >>>>>>>>>>> love >>>>>>>>>>> for this to be widely used. >>>>>>>>>>> >>>>>>>>>> When we recommended recommending CAS during a review of the U.S. >>>>>>>>>> Defense >>>>>>>>>> Information System Agency's new Application Security and >>>>>>>>>> Development >>>>>>>>>> Security Technical Implementation Guide earlier this year we were >>>>>>>>>> met >>>>>>>>>> with what amounted to blank stares. (At least it seemed like that >>>>>>>>>> since >>>>>>>>>> it was a phone conference.) Some on the call understood it and >>>>>>>>>> agreed >>>>>>>>>> with the recommendation but those hosting the call and doing the >>>>>>>>>> writing >>>>>>>>>> didn't seem to grasp it. It may be a while before we see too many >>>>>>>>>> adopting this or requiring it for a while. >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> Mike Lyman >>>>>>>>>> [EMAIL PROTECTED] >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>>>>>>>>> List information, subscriptions, etc - >>>>>>>>>> http://krvw.com/mailman/listinfo/sc-l >>>>>>>>>> List charter available at - >>>>>>>>>> http://www.securecoding.org/list/charter.php >>>>>>>>>> SC-L is hosted and moderated by KRvW Associates, LLC >>>>>>>>>> (http://www.KRvW.com >>>>>>>>>> ) >>>>>>>>>> as a free, non-commercial service to the software security >>>>>>>>>> community. >>>>>>>>>> _______________________________________________ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>>>>>>>>> List information, subscriptions, etc - >>>>>>>>>> http://krvw.com/mailman/listinfo/sc-l >>>>>>>>>> List charter available at - >>>>>>>>>> http://www.securecoding.org/list/charter.php >>>>>>>>>> SC-L is hosted and moderated by KRvW Associates, LLC >>>>>>>>>> (http://www.KRvW.com >>>>>>>>>> ) >>>>>>>>>> as a free, non-commercial service to the software security >>>>>>>>>> community. >>>>>>>>>> _______________________________________________ >>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>>>>>>>> List information, subscriptions, etc - >>>>>>>>> http://krvw.com/mailman/listinfo/sc-l >>>>>>>>> List charter available at - >>>>>>>>> http://www.securecoding.org/list/charter.php >>>>>>>>> SC-L is hosted and moderated by KRvW Associates, LLC >>>>>>>>> (http://www.KRvW.com) >>>>>>>>> as a free, non-commercial service to the software security >>>>>>>>> community. >>>>>>>>> _______________________________________________ >>>>>>>>> >>>>>>>>> >>>>>>> >>>> >> > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
