Eric Bidstrup here.
This year at Blackhat in Las Vegas, there is an interesting title for a session that caught my eye: “Iron Chef: Blackhat”. The presenters will be running static and dynamic analysis tools on code to find vulnerabilities. While this will likely be entertaining theater (I’ll likely attend) and an Iron Chef may be able to cook interesting culinary delicacies in an hour on TV, expecting to secure code in an hour is half baked at best. I realize that this event is not being positioned as a 100% solution to secure code in an hour – and I’m sure that those presenting do too – but the Iron Chef analogy does seem to imply that something useful will be done in an hour. I want to be clear I’m not picking on this presentation specifically. Instead I wanted to consider the approach and the mindset, which I think is far too common in the industry.
This cooking/coding analogy is similar to many discussions I’ve had with various people with responsibilities for managing software development efforts. Those discussions usually boil down to “Trying to do everything described in SDL is too costly and/or hard, can’t you just let me know the highest yield activities/tools”. My response is always that any effort to deliver secure software is more effective than no effort, but the primary reason SDL has been successful is that no single method, tool, or process is perfect. The sum is greater than the parts. (By the way, I’ll even include SDL in the scope of that last statement – it is not perfect either, but it does include self correcting processes to examine where it fails so we can learn to accomplish better results and continually innovate to address gaps.)
In the early days of the Trustworthy Computing Initiative here at Microsoft, the SDL started from the security “push”(es) that were done for the .NET Framework and Windows Server 2003. Many people with many eyeballs spent many days reviewing many lines of code and running the analysis tools we had available, and this certainly had an appreciable impact on improving the security of that those releases. However, the single most important lesson from that experience for the development and evolution of SDL was that secure development practices have to be an ongoing activity. A “push” (or an Iron Chef cook-off) is somewhat like cramming for a final examination. It can certainly help, but the student who applies effort consistently will be better able to accomplish their goals without having to rely upon such concentrated efforts. There have been many studies of software engineering that have shown that it’s far more efficient and cost effective to address deficiencies as early as possible, preferably never allowing them to get into code in the first place. Security is no different; the most effective means of eliminating vulnerabilities in software is to never allow them to occur in the first place. And to the software managers I mentioned earlier who are concerned over the costs of SDL – it’s not only more effective, it’s also cheaper to do it this way!
Security vulnerabilities can result from a variety of different causes. The size and complexity of software continues to increase, and isn’t likely to decrease any time soon. When considering all possible sources of vulnerabilities in complex systems, a methodical approach is the ONLY strategy that has a chance of delivering the desired results. Careful analysis of possible design vulnerabilities early in the development process, understanding attack surface and giving it high levels of scrutiny, informed use of code analysis tools (and understanding their limitations) and other code quality techniques, executing thoughtfully designed test plans, and (last but not least) leveraging defense in depth mitigations are ALL vitally important in attempting to deliver the most “iron clad” code possible.
An Iron Chef will get you four or five good dishes in an hour. Iron Chef Blackhat might give you four or five good bugs. Secure software takes more time. I certainly wish those presenting good luck in the presentation, like I said earlier – it’s one of the ones I will try to be at.