Follow-up to Insecure Code Accountability

My last post discussed former Cybersecurity Chief Howard Schmidt's proposal to hold software developers accountable for insecure code. I stated that Mr. Schmidt exhibited a fundamental misunderstanding of how software development works. On Sunday, Bruce Schnieier took a different approach by discussing the economics of software purchasing & development, and how these realities mean such an approach wouldn't work. An interesting read.


And this guy's an "expert"?

On Tuesday, former White House "cybersecurity advisor" Howard Schmidt suggested that developers should be held personally accountable for software flaws. "We need individual accountability from developers for end-to-end solutions," he is quoted as saying.

It is scary that someone who held such an influential position in politics regarding information security is so clearly lacking a fundamental understanding of the process by which software is released. Accountability is a major problem right now in the software industry, but blaming the coders is a terrible approach. When I did some work as an engineer, it became quickly apparent to me how easily management decisions (and even promises made by marketing/PR departments) could compromise the quality of my work. Unreasonable or constantly changing priorities and timelines can easily degrade the quality of any employee's work, whether in the software industry or otherwise. And poorly-implemented software development life-cycle models, which are often controlled by a programmer's employer, can also allow buggy code to make it to final release.

There are so many factors, and people, involved in software development that it's unreasonable to hold individuals accountable. Only by holding companies that develop sofware accountable will we begin to see an increase in software quality.


10/6/2005: A Dark Day for Security

The sky is not falling. The apocalypse is not near. Symantec & McAfee have not merged to corner the anti-virus market. But on this day, we see dark clouds on the horizon for the InfoSec industry.

First, Checkpoint, overlord of the software running a sizeable percentage of the world's firewalls, announced it was buying up Sourcefire, maintainer of the wildly popular and industry-leading open source Snort IDS. Within a matter of hours, news broke that Tenable Network Security, maintainer of the wildly popular and venerable Nessus vulnerability scanner, would no longer release its software under the GPL beginning with the next major release due to a "loophole" allowing its competitors to copy off of Tenable's work.

Business and economic arguments aside, these are ominous developments. For years, Snort and Nessus have both been considered the baseline to which other COTS products in their respective fields have been compared. Their open development and liberal use licenses are a big part of what made them so popular and well-known. Of course, they stand on the merits of their technology alone. But it's been the ease of access to these products that has made them so pervasive.

Some of the implications of these announcements are obvious. One that may not stand out as much, and is worthy of special note, is the impact of these announcements on small and medium-sized businesses. These companies are often the bane of security analysts, as their low-budget IT shops can't afford good security, or haven't yet realized its importance. Nessus and Snort are a staple for security-conscious IT staff in those situations, working on minimal IT budgets where vulnerability assessment scanners and IDS's are scraped together using spare parts and old equipment. Even so, thanks to Snort and Nessus, these administrators can run VA scans and intrusion detection tools that provide the same quality of results as a security team in a company with a budget orders of magnitude larger. Today's news seriously jeopardizes these capabilities down the road, which put the small and medium sized companies in an even worse spot. Less security for these companies means more zombies, more warez sites, more worms, and generally bad news for everyone.

For Nessus, this is the nail in the coffin. While Tenable plans to keep supporting version 2.0, it's only a matter of time before this development tree is EOL. Hopefully, the new license isn't too restrictive, and will facilitate continuous development and acceptance amongst individual information security professionals. Tenable thinks that it has gotten very little from the open-source community in return for its GPL'd software. While this may be true, it overlooks the fact that the open nature of the GPL is what allowed Nessus to become so prevalent in the first place.

The story for Snort is not nearly so bad. It's almost certain that Checkpoint's short-term intention is to integrate Snort into its Checkpoint NG firewall software (or whatever its next major release will be called) to create a combined IDS/IPS/firewall product offering. While this is happening, I can see Checkpoint leaving Sourcefire's product alone. What concerns me is what will happen to Snort after that? The license for Snort, once integrated with Checkpoint's closed-source firewall software, is certain to change or else the entire product will be GPL'd. The new integrated product is where Checkpoint is likely to focus their development. This means one of two things: the new features and technologies implemented in the IDS/IPS/firewall software will be brought into the Snort/Sourcefire product offering, meaning a license change from GPL, or even worse, no further development on the stand-alone Snort will be done.

The story for these two security stalwarts is far from over, and many events could transpire that make this a non-event. But for now, the future of these two products is up in the air. And for this security professional, that is a very scary thing.