Tuesday, December 4, 2007

Solving the wrong problem...

For those of you who are not familiar with Gene Spafford from Purdue's CERIAS (the Center for Education and Research in Information Assurance and Security) or his blog, I would encourage you to check them both out. I've had the great pleasure of working with Spaf and one of his latest posts is absolutely on target, albeit from an altruistic standpoint.

In "Solving Some of the Wrong Problems" Spaf points out that most of our efforts in information security are pointed only at treating the symptoms created by the very nature of the unsecure products we or our companies use. Simply put, we know how to create more secure software, databases, networks and systems in general - however our vendors or we don't do it.

"We know how to prevent many of our security problems — least privilege, separation of privilege, minimization, type-safe languages, and the like. We have over 40 years of experience and research about good practice in building trustworthy software, but we aren’t using much of it.

Instead of building trustworthy systems (note — I’m not referring to making existing systems trustworthy, which I don’t think can succeed) we are spending our effort on intrusion detection to discover when our systems have been compromised..."

"I’m not trying to claim there aren’t worthwhile topics for open research — there are. I’m simply disheartened that we are not using so much of what we already know how to do, and continue to strive for patches and add-ons to make up for it...

Let’s start using what we know instead of continuing to patch the broken, unsecure, and dangerous infrastructure that we currently have. Will it be easy? No, but neither is quitting smoking! But the results are ultimately going to provide us some real benefit, if we can exert the requisite willpower."

It's a great read and don't blame me if you get sucked into reading for quite a while with some of his other posts. Speaking of which - check out his view on passwords. These both put my day of HIPAA policy review in perspective!


kurt wismer said...

y'know, it's funny... 'hoff' pointed to the same post back in october (http://rationalsecurity.typepad.com/blog/2007/10/sacred-cows-mea.html)...

yes, mr. spafford makes some good points, and that "solving the wrong problem" bit makes a great catch-phrase, but it's a little on the over-broad side... not all the problems he says can be solved by using what we've already learned actually can be solved so easily..

MTI said...


I agree that Spaf's approach is theoretical and written with a flash of word pictures. It does, however, point out that we can often do better - if we choose to.

But if it were so easy I would not have a job in the arena I enjoy now. Fact of the matter is that we will always have flaws as long as humans are involved in the process. Be it tight deadlines, high bottom lines, too many lines of code, or crappy "I'm a {insert flavor of language here} developer" wanna-bes - nothing is going to be completely secure. This is exactly why some have added an eighth layer to the OSI model - the "Political" layer.

Thanks for the comment.