Why does bad software happen to good people?
First up at LASCON was the keynote by Matt Tesauro from Praetorian (and OWASP Foundation board member), speaking on “Why does bad software happen to good people?” The problem in short is:
- Software is everywhere, in everything
- Software has problems
- Why do we have these problems, and why can’t we create a secure software] ecosystem?
The root causes boil down to:
- People trust software a lot nowadays
- Blame developers for problems
- Security of software is hidden
- Companies just CYA in their EULAs
- Lack of market reward for secure software
- First mover advantage, taking time on security often not done
- Regulation can’t keep up
So the trick is to address visibility of application security, and in a manner that can take root despite the market pressures against it. We have to break the “black box” cycle of trust and find ways to prevent problems rather than focusing on coping with the aftermath.
He made the point that the physical engineering disciplines figured out safety testing long ago, like the “slump test” for concrete. We don’t have the equivalent kind of standards and pervasive testability for software safety. How do we make software testable, inspectable, and transparent?
- They got Craig Youngkins, a big python guy, to start Python Security.org, which has been successful as a developer-focused grass roots effort
- The Rugged Software Manifesto at ruggedsoftware.org is similar to the Agile Manifesto and it advocates resilient (including secure) software at the ideological level.
I really liked this talk and a number of things resonated with me. First of all, working for a test & measurement company that serves the “real engineering” disciplines, I often have noted that software engineering needs best practices taken from those disciplines. If it happens for jumbo jets then it can happen for your shitty business application. Don’t appeal to complexity as a reason software can’t be inspected.
Also, the Rugged Software Manifesto dovetails well with a lot of our internal discussion on reliability. And having “rugged” combine reliability, security, and other related concepts and make it appealing to grass roots developers is great. “Quality initiatives” suck. A “rugged manifesto” might just work. It’s how agile kicked “CMMI”‘s ass.
The points about how pervasive software are now are well taken, including the guy with the mechanical arms who died in a car crash – software fault? We’ll never know. As we get more and more information systems embedded with/in us we have the real possibility of a “Ghost In The Shell” kind of world, and software security isn’t just about your credit card going missing but about your very real physical safety.
He threw in some other interesting tidbits that I noted down to look up later, including the ToorCon “Real Men Carry Pink Pagers” presentation about hacking the Girl Tech IM-Me toy into a weaponized attack tool, and some open source animated movie called Sintel.
It was a great start to the conference, raised some good questions for thought and I got a lot out of it.