Re: [SC-L] How big is the market?

[McGovern, James F (HTSC, IT)]

One thing that I can say is that vendors sometimes are doing themselves a 
disservice in terms of getting software security to grow even faster. Currently 
anything that has the word "security" in it automatically gets redirected to 
information protection types in large enterprises who usually are degrees away 
from those who actually write source code. A method should be to reach out to 
the development community via publications such as Java Developers Journal and 
similar forums.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Gary McGraw
Sent: Friday, April 20, 2007 4:17 PM
To: SC-L@securecoding.org
Subject: [SC-L] How big is the market?


Hi sc-lers,

At s3con this week I gave a keynote about the state of the practice in
software security.  Some of what I said is captured in my darkreading
column this month:

http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1

There are a couple of things worth noting.  First of all, the article
has some numbers in it that show how the market is growing.  I believe
we attained a $200-275 million level in 2006.  Things look like they are
continuing to grow as well.

Second, this article discusses a few ways for a corporation to get
started with software security, from the kinds of full blown initiatives
that we recommend at Cigital to easier baby steps with badness-ometers
like SPI Dynamics and Watchfire.

Please do what you can to spread the word about this article so that
people outside of our specialty get a feeling for what is happening.
Software security is growing, and the growth is strong and consistent.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com 


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Silver Bullet: Ross Anderson

[McGovern, James F (HTSC, IT)]

Would it be possible for upcoming episodes to have an individual who is 
directly employed by a Fortune enterprise whose primary business model isn't 
technology? Way too many software vendors, consultants and folks from academia.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Gary McGraw
Sent: Friday, April 13, 2007 5:33 PM
To: Mailing List, Secure Coding
Cc: Clark-Fisher, Kathy; Anderson,Ross
Subject: [SC-L] Silver Bullet: Ross Anderson


Hi all,

A faithful reader of sc-l (and a long time silver bullet listener) suggested 
that I interview Ross Anderson for an episode.   By popular demand, here's Ross:

http://www.cigital.com/silverbullet/show-013/

This episode will appear in an upcoming issue of IEEE Security & Privacy 
magazine.  S&P co-sponsors Silver Bullet along with Cigital.

As usual, there is some talk about software security in this episode.  Your 
feedback is welcome!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com 


Sent from my treo.


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Source code hiding doesn't work (was: Re: State Department break-in last summer)

[David A. Wheeler]

Florian Weimer said:
 >The times when you couldn't get source code for proprietary,
 >off-the-shelf software are over.  Welcome to the new world order!  8-)

Amen, and please let me add a few additional comments, because I'm 
afraid a lot of people "outside" don't really understand why this 
"hiding of source code" is a waste of time from a security vulnerability 
point-of-view.  Here are my thoughts on the topic, which I hope some 
other people will agree on.

This notion - that merely "hiding the source code" really prevents 
vulnerabilities from being discovered - is (I believe) nonsense:
* Attackers typically don't need to examine source OR binary.  Just 
sending data to the program, and seeing what it sends back, is often 
revealing enough to find a vulnerability.  This is why "fuzz" testing, 
and sending malicious data to websites, work so well.  Add in tools to 
observe in detail what happens with various inputs & outputs, and/or 
user documentation, and the attacker simply has tons of data to work 
with... they don't NEED more.
* If attackers want to examine something using static analysis, 
examining the binary is often enough.  There are tools that can examine 
binaries for patterns.
* If attackers want to examine source, they can reconstruct it "enough" 
from binaries (using decompilers) to use source-based approaches.  Yes, 
the resulting source code would be hideous to maintain, but an attacker 
doesn't NEED to maintain it.  An attacker just needs to attack the 
program, which is much easier (only one vulnerability needs to be found, 
etc.).
* If they don't want to bother decompiling, they can often buy the 
source code, get a license for it, or steal it from those who have it. 
Lots of vendors make source available.

Note that you can typically buy the binary (or access the website), and 
you can often buy and decompile the binary, so there's typically no 
barrier for the first methods.

Now, there ARE reasons in some cases to hide source code.  I believe 
hiding the source code is all about restricting the ability to MAINTAIN 
a program to a privileged organization, in order to (1) collect payment 
for use as a proprietary program and (2) make it harder for others to 
develop competing products (because they'll have to redo a lot of that 
work).  For _financial_ purposes, such hiding is sensible if you're 
selling a closed-source (proprietary) program.  As long as you're clear 
about THAT being the rationale for hiding source code, you're at least 
being level-headed. But don't confuse that economic rationale with 
providing any _security_ benefits against vulnerabilities in the 
program.  I believe the latter is nonsense.

Hiding the source code to prevent the revelation of vulnerabilities is 
just another form of security by obscurity, and I believe that security 
by obscurity is a horrifically bad basis for security.  Not because it 
can't work - in theory it can - but because it's notoriously difficult 
to TRULY obscure something, and you don't normally know when you've been 
compromised (so when you've been had, you still think you're safe). It's 
so hard to PRACTICALLY implement all the secrecy required in many cases 
that security-by-obscurity is often impractical.

That's REALLY obvious for software.  If you were REALLY serious about 
security through obscurity (hiding information about a system in order 
to protect it from serious adversaries), you'll need to do the following:
* Ensure that only a VERY few can get the source code.  Locked rooms, no 
Internet connectivity for machines with the source code, a few people 
with extensive background checks, no USBs or writable CDs.
* Ensure that only a VERY few people can get the executable files. 
Think ROMs with black goo on them, etc.  Obviously, you can't sell 
binaries to more than a few people, and only after extensive background 
checks of the one running the program (!).
* Ensure that only a VERY few people can send data and receive data back 
from the program.  Think running in a closed facility, with personnel 
you trust controlling the inputs and outputs.  Preferably with 
monitoring systems.

Can you enforce all these requirements using a traditional COTS product, 
either closed or open source?  Don't make me laugh.  You can't set up a 
website or sell an executable file - never mind distribute the source 
code - while still retaining the necessary amount of obscurity for 
"security by obscurity" to have a PRAYER of succeeding.

I think this is why so many people still try to do "security by 
obscurity", even though it keeps failing so spectacularly in typical 
software projects.  In some other fields you can hide the necessary 
information pretty easily, so people with those mindsets try to apply 
the approach to software.  But to work in software, the amount of 
obscurity required is typically impractical; they're mislead into 
thinking that merely hiding the source code is all there is to it, and 
it's not.

Can COTS progr