The Past, Present and Future of Software Security

Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. At the start of the 2000s, software security was a small, arcane field that often was confused with security software. But several things happened in the early part of the decade that set in motion a major shift in the way people built software: the publication of Bill Gates’s Trustworthy Computing memo, the release of Building Secure Software and Writing Secure Code, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately, other large software companies, to get religion about software security. To get some persepctive on how far things have come, Threatpost spoke with Gary McGraw of Cigital about the evolution of software security since 2001.

Perhaps no segment of the security industry has evolved more in the last decade than the discipline of software security. At the start of the 2000s, software security was a small, arcane field that often was confused with security software. But several things happened in the early part of the decade that set in motion a major shift in the way people built software: the publication of Bill Gates’s Trustworthy Computing memo, the release of Building Secure Software and Writing Secure Code, and a wave of high-profile attacks such as Code Red and Nimda that forced Microsoft, and ultimately, other large software companies, to get religion about software security. To get some persepctive on how far things have come, Threatpost spoke with Gary McGraw of Cigital about the evolution of software security since 2001.

This is an edited transcript of a recorded conversation that Threatpost Editor Dennis Fisher had with McGraw.

Pre-History

In 2001, software security was really very new, and not many people knew about it or thought about it. In fact, I had a hard time even convincing my mom that it was a good thing to work on, but we got some momentum from the Java security issues that Ed Felten and I wrote about in the late ’90s. And we were thinking to ourselves: “Why is it that these amazing guys like Guy Steele, who’s a phenomenal languages guy, and Bill Joy, who wrote Berkeley Unix–no hacks–screwed it up when it came to JAVA and security.” And if you were a developer – somebody who was building and designing, and implementing one of these systems – where would you go to learn how to do it right? And the answer was nowhere.

So that’s why we wrote Building Secure Software, which just happened to come out in 2001, you know, ten years ago – go figure. It was quickly followed by Microsoft’s first book, Writing Secure Code, that Mike Howard wrote with Steve Lipner. Remember, that was the time when Microsoft was completely getting hammered by Nimda, right after 9/11, and Code Red and all of the malware that was aimed at their incredibly vulnerable software. It became such a big deal that Bill Gates wrote the famous Trustworthy Computing Initiative memo.

The Early Days

So Bill Gates wrote that memo and really tried to turn the entire Microsoft boat a few degrees towards security, which is really cool. Now, ten years later Microsoft has made great strides in software security, and they have learned a lot of lessons that other people can emulate, and they’re publishing stuff and sharing stuff, so that’s pretty cool. So right about the middle of the ten years, five years in, everybody realized that the way to do this was to integrate stuff into your software development lifecycle. However, the process alone is not enough, and if you did anything to study large-scale software security initiatives of the sort that Microsoft Trustworthy Computing Initiative is one, then you could find out that you needed more than just process to attain software security. So we created the first version of the BSIMM, in 2009, by describing the observations that we made – describing facts about software security initiatives out there.

The reason this is important is because when you start a field out, like we did in 2001 with the philosophy, there’s an awful lot of cheerleading and evangelism and advocacy, and there are a lot of people with good ideas, and ideas are great, that’s really important for booting a field. However, ten years later, the time comes to turn the corner to science, and to talk about facts, and how things work – to talk about large-scale enterprises approach to this problem, and how you garner resources, the politics involved, and all that stuff. And there a lot of people that are working every day professionally doing software security.

So we’ve turned the corner from kind a philosophy and an idea, and then a process approach to an actual enterprise software security initiative description and science that makes sense. So that’s extremely cool.One of the funny things about security is, often if you’ve been in computer security for 10 or 15 years, you turn into this sort of a cynical curmudgeon. I’m actually sort of an optimistic guy; I think that we’ve made a huge amount of progress in software security in the last decade. Now we are not done, and we have, by no means, solved the problems, but boy have we made great progress.

The Current Landscape

What has changed is that we now know how to accomplish some of those large-scale principles and goals by building better software and avoiding vulnerabilities. Another important change, although we haven’t made quite as much progress, is in the notion of looking at design, and trying to find design flaws and eradicate those early in the lifecycle. You know, Microsoft has an approach called Threat Modeling, we had something called Architectural Risk Analysis, and basically they’re the same idea: let’s take a look at this design, at a forest level view, and make sure that the forest looks secure and not just all of the trees in the forest. And we’ve made a lot of progress there, too.

Then, finally, I think that those people who have thought about how systems break, have done a lot to move the field forward, too. Because if you know how your system will be attacked and what sort of shape attacks will take, then, and only then, can you build the fences that actually work.

The Future

The main thing I’d like to see in software security is a better set of programming languages themselves. So in 2001, C was a disaster, C++ was a disaster, Java was getting better, .NET was getting even better. You know, we’ve been moving slowly towards languages that at least have different sorts of vulnerabilities built into them, and make the job of software security easier. So I’d like to see a whole new class of languages that are designed with security right up front. And maybe we can get that accomplished in ten years. I’ve talked to Bill Joy about whether that’s possible, and we sort of wonder, but it might be possible.

Then I also think that some of the lessons that we’ve learned among the early adopters – you know, these 42 firms that we’ve studied, that are large enterprises – show us that you can, in fact, build a software security initiative that gets stuff accomplished, and makes forward progress. And we can take those ideas and spread it to the rest of the world. So I think the notion of having the Fortune 1,000 all doing software security is not outside the realm of possibility, and sort of the vast middle market is just beginning to develop for software security stuff. So I think you’ll see the field just grow and expand, and people – even consumers understanding about the field will go up.

Gary McGraw is the CTO of Cigital and the co-author of Building Secure Software, Software Security, Exploiting Software and other books.

Suggested articles

Discussion

  • Stuartlittle on

    IMHO, the really disaster are the bad programmers, not the own language.

    There is secure sofware written in C/C++.

  • Anonymous on

    Typical mcgraw fluff peice, nobody has learned anything from this article.

    /me can't wait until useless millionaire pundits like this guy shut up and go away

  • bperry on

    Open BSD was designed from the ground up for security, before your book came out. I consider some of your claims invalid.

  • Varian on

    @Anonymous

    >> /me can't wait until useless millionaire pundits like this guy shut up and go away

    Yes - that'll make the problem of overcoming Management induced Software Security inertia go away. Wow you're so right. Why didn't we all see that? It's not like he's contributed anything on the subject to the scene with Hope, Hoglund, Viega, Chess, West, and other authors.

  • Anonymous on

    This is probably one of the worst articles i've read today.   subtle bragging about his book 10 years ago.

  • gem on

    I will have to tell my wife I am a millionaire!  She will be psyched.

    gem

  • lolwhat on

    This passes for informative?

  • Anonymous on

    blah-blah-blah-want better languages, have no idea what that could actually be-blah-blah-blah

  • Anonymous on

    Is this guy full of crap or is it just me?

    "So in 2001, C was a disaster, C++ was a disaster, Java was getting better, .NET was getting even better"

    In 2001, .NET wasn't even released!

    And don't bother correcting the article, it should have never showed up in the first place.

  • +Anonymous on

    wow... such negativity.  something the internet obviously doesn't have enough of with all of the trolls lurking behind their keyboards.

    this article, anecdotal musing, might not be as indepth as some would like but it does provide a couple of good bits of information for someone who might be showing interest in software development and will now have an idea of how security plays its part.

    when Gary mentions the "cynical curmudgeons" he must have known that some of you would be part of his audience.

    Get over yourselves and your know-it-all attitude and provide some meaningful insight instead of blasting someone else's work as shyte!

  • Anonymous on

    2001?  Really?  Tell that to Bell and LaPadula, back in 1973.  

  • Anonymous on

    OpenBSD remote root exploit, discovered in 2007:  http://www.coresecurity.com/content/open-bsd-advisorie

    proof that even the best programmers on projects with security touted as a major feature, still sometimes get it wrong.

    C++ gives you all the rope you need, sometimes so much rope that even the best get caught.

  • Tensigh on

    He does have one good point; 10 years ago, few people took security seriously. Most people (including a lot of IT managers and sys admins) thought that antivirus software and a firewall would protect you from attacks. And in many ways, this worked. In 2001 I worked for a company that was still running Win 98 which had few security protocols in place, and no NTFS control.

    Today the bigger threat comes from attacks like SQL injection. Once you get a boatload of user names and passwords, your security is almost worthless. The most secure borders won't matter if attackers can log in as legit users.

  • Anonymous on

    I think he *meant* to say the Microsoft and Windows folks weren't thinking about security back in 2001 LOL.  Windows was written for a single user, with no thought for security.  Over the years they have made small efforts to add/retrofit it to make it more secure.  But everyone else had long been considering it, like, for 30 years prior!  The Unix and then Linux world were written multi-user with security considerations from early on.  Such ignorance.

  • spOOk on

    Back in 1988 I was programming in C and using strategies like 'assert', code block input and output validation, information-hiding, inheritance, boundary checks, memory-leak detection, safe signals, messages and so on. This dicipline has not been widely practiced for years as It's obvious from the number of exploitable bugs out there. So I don't think the article is that far off the mark. Some of you have been a little hard on the author. The knowledge about bug-minimisation has been available for a long time. It's the commercial pressures, and lack of education that is the issue. If you can't program safely in the "disaster" that is C, then it's unlikely that any other language will help much because the more one relies on the language to trap slack programming, the more likely things won't function as they should so the exploitable holes will just slide up towards the wet-ware anyway.

    I say we need more formal texts, education, awareness and practice for fundamentally safer coding practice.

  • Mike Warot on

    I think you're wrong.

    Why? It's simple, it's not an application programming issue, it's an Operating System design issue.

    The default permit environment present in everything except IBM's VM is the root cause of 99% of our problems.

    Instead of giving each PROCESS a list of resources and permissions, Linux, OS-X, Windows, and pretty much everything else, does it at the USER level. (Yes, I know about app-armor, but that's a special case)

    This means that all of the defenses are pointed in the wrong direction. (Imagine building a fort with 10 foot thick perimeter wall as its sole defense in the age of paratroopers and helicopters to get an idea of the scale of the problem).

    It doesn't matter how careful or professionally trained the application programmers are, nor how safe the programming language used to write the application is, when the OS isn't even designed to limit what they can do. All programs have bugs, you shouldn't have to trust them not to have them.

    Now, those skills and language enhancements are useful for building the operating system, especially when constructing the micro-kernel to run everything, so it's not wasted effort.

    I predict we'll see stories like this for at least 10 more years, regardless of the effort or money put in, because we haven't changed our approach yet. It's going to take a few more years until the cognitive dissonance gets loud enough in peoples heads to prompt them to find a better OS, and a few more years to actually have something reasonably solid available. Until then, buckle up... it's going to be a VERY bumpy ride.

  • Anonymous on

    So, Gary, I wanted to point out that many of your sentences start with a conjunction.  And conjunctions are generally used to tie parts of a sentence together.  You know, you're not supposed to start sentences with them.  Such use is occasionally acceptable, but I'd estimate half of your sentences start with either "and" or "so."

    I'm not just being a grammar troll here.  I'm pointing out that your article is very conversational in its tone.  I wouldn't want to read an entire book written like this article.  I'm sure your book is very informative, but I suspect it's success is due in large part to a busy team of fact checkers and editors.

     

  • Anonymous on

    I did a spit-take at "in 2001, software security  was really very new"

     

    in 1965, software security was really very new. In 2001? not so much.

     

  • Anonymous on

    Summary: 10 years ago things were worse, today they're better...uh duh

    And this article got green-lit for slashdot's main page? I wonder what favors Dennis to call in for that...

  • Anonymous on

    The real problem now is vendors using their very old unsecure code from 2000, but making it look pretty with a new GUI. 

  • gem on

    Gotta love the interwebs.

    If you would like to read some of my writing, as opposed to some of my unreviewed transcribed speech, see http://www.cigital.com/~gem/writings

    For my basic approach to software security in book form, see "Software Security" at http://www.amazon.com/Software-Security-Building-Gary-McGraw/dp/0321356705/ref=sr_1_1?ie=UTF8&qid=1314456538&sr=8-1

    For a recent attempt to turn software security into a science, see the (open source) BSIMM at http://bsimm.com.  BSIMM3, a study of 42 software security initiatives, will be released before the end of the month.

    gem

  • Afshin on

    The emerging trend of "Language-based Security" researches  is making the "better set of programming languages" possible.   

  • Anonymous on

    Software security to me is like unedible food, it just does not exist.  Look at every windows release, it is hacked in no time, same goes for iphone, seo tools, etc.  It seems impossible to have good security without hampering and annoying your paying customers.

     start a business

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.