SAN FRANCISCO–The discipline of software security has been gaining traction in a lot of organizations both large and small in recent years, thanks in part to the success that vendors such as Microsoft, Adobe and others have had with it. However, for many companies, the time and money spent on software security initiatives could be put to better use simply fixing flaws after products ship or are deployed, an expert said during a constructed debate.
For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove to be valuable and provide a measurable return on investment, but that’s probably not the case for smaller enterprises, said John Viega, executive vice president of products, strategy and services at SilverSky and an authority on software security. Viega, who formerly worked on product security at McAfee and as a consultant at Cigital, said that when he was at McAfee he could not find a return on investment for software security.
“As far as we could measure, it was an absolute waste of money,” he said during a panel discussion with Brad Arkin, the senior director of security, standards, open source and accessibility at Adobe, at the RSA Conference here Wednesday. The panel was a constructed argument, with Viega taking the devil’s advocate position that software security programs are not worth the investment. “For most companies it’s going to be far cheaper and serve their customers a lot better if they don’t do anything [about security bugs] until something happens. You’re better off waiting for the market to pressure on you to do it.”
Viega said that during one of the years he was at McAfee, the company had three publicly disclosed security flaws and it cost less than $50,000 total to deal with all three, including communications, QA and other costs. A comprehensive software security program, by contrast, could cost seven figures and produce even more costs in terms of productivity losses, he said.
“There’s a whole class of companies where it doesn’t make sense to do anything, or just to do the bare minimum,” Viega said.
However, for a company such as Adobe, whose products run on more than a billion PCs and are under constant assault from attackers and security researchers, it’s a story. There, software security is a major part of the product development process and also includes training for developers.
“An exploit that works against Reader or Flash puts more than a billion computers at risk. The cost of getting those fixes out is so high that we need to invest everything we can to fix those problems before we ship,” said Arkin. “We train far and wide. The chances are that most people who come to us have no security training, so raising the security IQ is a really good thing in our environment.”
Arkin said that while Adobe spends considerable time and money every year finding and fixing vulnerabilities in its products, that doesn’t mean that his team obsesses about every small flaw. Rather, they spend their time looking for ways to defeat attackers’ exploits against large swaths of bugs.
“If you’re fixing every little bug, you’re wasting the time you could’ve used to mitigate whole classes of bugs,” he said. “Manual code review is a waste of time. If you think you’re going to make your product better by having a lot of eyeballs look at a lot of code, that’s the worst use of human labor.”
The security development lifecycle processes used at some large software companies–notably Microsoft–also probably aren’t the best use of resources for smaller development organizations, Viega said.
“I know dozens and dozens of companies who look at the SDLC and say, ‘Are you kidding me? This would put me out of business.’ Training is a total waste of money. Most people don’t want to be in the room. Training the average developer is an absolute waste of time,” Viega said.
Fixing the problem of vulnerabilities in commercial software has been a topic in the industry for decades, and there has been some talk in recent years of the possibility of legislation to address it. Both Viega and Arkin said that any law designed to regulate software security would be useless.
“Legislation is a terrible idea. I have three letters for you: PCI. Thank God we’ve never had another credit card compromise after that was put in place,” Arkin said, referring to the PCI-DSS security standard developed by the payment card providers. Any legislation would be so outdated by the time it’s printed it would be laughable. Would anyone want to see the government’s language on preventing buffer overflows?”
This post was edited on Feb. 28 to clarify that the panel was a constructed debate.