What is it that makes security hard?
I’ve been asked this question numerous times, often in the guise of a question like, “why can’t you guys simply fix the security problem?” or “reliability and scalability problems are understood and solvable, why can’t you do the same with security?” or my favorite variant, “what the heck keeps you interested in security when it seems you’re fighting a ‘no-win’ battle?”
First, there is little agreement around what constitutes a “security bug” so I’ll leave that subject for another day!
Next, I’m no expert on the science behind reliability or scalability, so I’ll take it at face value that when people say these issues are “understood and solvable” and they are being honest.
So what is it that makes security hard?
It’s simple:
- Scalability and reliability issues are man-vs-machine and machines are stupid.
- Security is man-vs-man and humans are intelligent.
This security stuff is an ongoing arms race and chess game, and each side is constantly trying to outwit the other. We raise the bar, and the attackers then spend time trying to defeat that bar. So we raise the bar again, and so on. With reliability and scalability, we can understand the “adversary” and that’s that. The "enemy" won’t adapt to defeat you!
To be honest, it’s this on-going intellectual battle that keeps me coming back to security, but it also means that no-one will ever build 100% secure computer products and this why we update the Security Development Lifecycle (SDL) twice a year as we learn new attack and defense techniques.
Comments
Anonymous
February 02, 2007
"Security is man-vs-man and humans are intelligent." It's not just an intelligence. The "evil" man has most probably more incentive than the "good" man (think organized cyber-crime).Anonymous
February 03, 2007
I think what makes it hard is the profusion of New Zealanders.Anonymous
February 03, 2007
The comment has been removedAnonymous
February 04, 2007
"Security is man-vs-man and humans are intelligent." There's also an issue of the scale: if you maintain the program, to make it 100% "safe", you'd have to find and fix all security bugs. An attacker has to find only one. And then, there are the user's actions, which can be manipulated. And the UAC as it is now, in my opinion, is still done wrong. The confirmation dialogs pop out too often, enough to make people acknowlege automatically (even the people that know what they do!). For example, to know all processes which run on the machine I have to confirm UAC dialog each time I want to do that the Task manager?!? Dialogs that pop often will nobody read, and nobody will think about them. No offense, but I believe, the way you did it, you added it more to be able say "you're guilty yourself, you clicked yes" than to really enhance the security of the user.Anonymous
February 13, 2007
It's Between Your Ears Why? Because "Security is man-vs-man and humans are intelligent." - more aboutAnonymous
February 16, 2007
Why is it hard to understand the training materials on the subject of security? Because if you explain it too well then the attacker can read it, understand it only too well, and find the vulnerabilities. So you can only include part of the story.Anonymous
February 21, 2007
For sure is really difficult to analyse all the possibilities, keep the backward compability and know all the performance impacts, in a generic OS. Like the analysis of your blog entry: http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx, many people try to say about other OS that have this kind of resource for a long time before microsoft tries to implement it. In any way the microsoft implementation is not 2^8 bits entropy in every case. You can have some situations where the process have more than just one dll loaded with a trampoline instruction pointing to the same offset, so, the number goes down... ;) Good luck to you guys, Rodrigo (BSDaemon).Anonymous
March 02, 2007
The comment has been removedAnonymous
December 18, 2008
Hi, Michael here. Every bug is an opportunity to learn, and the security update that fixed the data bindingAnonymous
December 22, 2008
Microsoft explains how it missed a serious IE bug for NINE years or, as the company chooses to title