SAN FRANCISCO – RSA CONFERENCE 2013 – A two-person panel tackled a provocative question head-on at the RSA Conference on Thursday: Is software security a waste of time for most companies?
The question had many layers. Should companies focus on shipping out the product and fix bugs afterwards if they are reported? Or should companies have security reviews and focused testing during design, development, and testing, to try to catch bugs before the product ships?
On one side of the debate was Adobe’s Brad Arkin. Like Microsoft, Adobe has fully embraced the secure software development lifecycle and have invested a lot of time and money to write secure code. Then there was John Viega, executive vice-president of SilverSky. Viega formerly worked on product security at McAfee and talked about his experiences trying to implement software security initiatives at the company. “I am looking at 100 different governments trying to attack each other using my software,” Arkin said.
For Adobe, waiting around is too expensive, so they make sure software security is a major part of the product development process, from concept, design, coding, testing, and deployment. “An exploit that works against Reader or Flash puts more than a billion computers at risk,” Adobe’s Brad Arkin said on the panel. “The cost of getting those fixes out is so high that we need to invest everything we can to fix those problems before we ship,” he said.
The company focuses on intensive security training for all its engineers. “The chances are that most people who come to us have no security training, so raising the security IQ is a really good thing in our environment,” Arkin said.
But there are also companies who will never see a return on investment on implementing secure software development initiatives, Viega said. “For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it,” Viega said.
For example, one year, McAfee had three publicly disclosed security flaws, which cost less than $50,000 total to deal with, Viega said. The figure included all communications and time taken to develop and test the fix. In contrast, a comprehensive software security program, by contrast, cost the company million dollars in direct costs, and even more in indirect costs, such as loss of productivity, he said.
At McAfee, secure software development projects were “an absolute waste of money,” Viega said. “There’s a whole class of companies where it doesn’t make sense to do anything.”
While large software companies or major enterprises deploying custom applications could benefit by integrating security into development from the get-go, that isn’t the case for smaller organizations, Viega said. Microsoft has benefitted greatly with its Software Development Lifecycle (SDL), as has Adobe, but “I know dozens and dozens of companies who look at the SDL and say, ‘Are you kidding me? This would put me out of business,’” Viega said. Training the average developer is an “absolute waste of time,” he added.
Arkin was careful to point out that while the company spent a significant amount of time and resources finding and fixing vulnerabilities during the development process, the goal wasn’t to stamp out every single possible bug. It was a better use of the team’s energy and money to address categories of bugs, he said. “If you’re fixing every little bug, you’re wasting the time you could’ve used to mitigate whole classes of bugs,” he said. Arkin also criticized the trend to just drop a Web application firewall or other products to divert attacks. If there is a problem in the code, just fix it; don’t put something in front of it to avoid the problem, Arkin said. “It’s like putting up a fence post hoping the bad guy runs right into it,” he said.
Viega and Arkin both agreed that government should steer clear of mandating or ordering software security. Having mandates and legislation are useless towards preventing breaches, Arkin said. For example, even with PCI, it’s not as if credit card compromises disappeared afterwards (and yes, he was aware PCI was an industry initiative and not a Congressional legislation).
“Legislation is a terrible idea,” Arkin said, pointing out that legislation would be outdated by the time it became law. “Would anyone want to see the government’s language on preventing buffer overflows?” he asked the audience.