Was reading a security blog series of posting, and wondering at
how much interest there is in this. So, I thought I would embarrass
myself and write my own monologue.
Why is security hard? Its easy to be dismissive or make fun,
but the answer is similar to that of entropy increasing. Its easier
to do security wrong than it is to do it right.
Likewise, theres more ways to create a broken or buggy
application than there are ways to do it right.
With the increasing hoards of people trying to do harm in the security
world, equally there are people learning how to prevent the harm.
I saw a reference the other day that as each exploit or hole is patched,
theres more to make way (eg jailbreaks or other similar holes). Every
segmentation violation, or unanticipated exception is problematic -
potentially a way to tunnel into an application. The reference to
there beings tens of thousands of exploits left to use is worrying.
It shows that even for a brand spanking new, fully up to date package,
that the next hole is just around the corner.
There is great initiatives and software packages or development
methodologies to increase the quality of software, but these may be
insufficient - or worse, they are sufficient, but expose so much
"noise" that they get ignored.
It *should* be possible to automate software weaknesses using automation
processes, but its not clear if the frailty of humans who write code,
can win in the face of the ease at which these vulnerabilities can be
At the heart here is human vanity. Coding is like a drug - you get
hooked; you get sucked in when the first dialog box appears, or the
first correct answer appears. We stop looking after that. It works!
And it requires a detached mind and lack of pressure to look below the
surface, and discover than even if your app can do "2+2", it might
not handle "3+3" (a contrived but realistic example, especially
if you were working on a floating point or bignum package).
Ever tried to parse an IP address in C/C++? 188.8.131.52.127.
Try and write a parser, e.g. in C. And wonder what happens when
your "char" does sign extension, or you move across
compilers or standards, where the rules changed. Or where you went
from 8-bit, to 16-bit, to 32-bit, to 60-bit, to 64-bit cpu
architectures. Plug that IP address encoder/decoder into an
encryption utility, and you wont be able to tell the difference between
"good" and "bad". (Took me ages to debug the CRiSP license manager and
remove these kinds of issues when faced with IP addresses that looked
like signed numbers, or other non-standards compliant code - even although
I thought I knew what I was doing).
As security and safety become more and more problematic, most
people dont understand it. (If you believe you understand security...
you dont. Rule #1 !) The best security people (likely - I dont know)
understand the area of human psychology, armed with many tools to
tackle mundane to super serious.
I write this, as I stare at the certifications available for
security, and wonder: are you more worried about those that
proclaim themselves as security people armed with certificates, or those
who neither declare knowledge or anything about themselves?
Meanwhile...I go hunt for more bugs in my own code. Or shall
I go web surfing...