No Accountability, No Peace (of Mind)?
Thanks to the ever vigilant Richard Bejtlich for pointing out Jeremiah Grossman’s slides on the idea of INFOSEC security guarantees. Reading them reminded me of a saying, the exact wording of which I forget now, but it is something along the lines of ‘some analogies are useful’ and others…not so much.
Jeremiah does a good job explaining how guarantees can be a discriminator and how certain issues surrounding guarantees can be addressed, but there are a few factors that I think make this an untenable prospect:
- Boots are not Computer Systems. A great American outdoor gear company has no problem issuing a 100% guarantee on their outdoor clothing because they have intimate knowledge and granular control over every aspect of a given garment; you cannot say the same for any sufficiently large or complex piece of software. As the CSO of Oracle recently pointed out, big software companies try to write secure code and they check for and patch vulnerabilities when they find them; but as pretty much the rest of the Internet pointed out in response: that’s not enough. CIO Alice knows her enterprise is running MS Windows, but neither Alice nor anyone that works for her knows the Windows kernel like Bob the guy breaking into Alice’s company does.
- Money Over Everything. You know another reason why the great American outdoor gear company doesn’t mind issuing a 100% guarantee on their products? Margins. 1 boot out of 10,000 goes bad? "Oh my, how ever will we afford this? Oh, right, those boots cost me $10 to make and $10 to ship and market…and retail for $200 a pair." I don’t know any developers or security practitioners who are poor, but I also don’t know any whose money is so long they could survive more than one claim against their labors.
- Compliance. How does victim Big Co. prove they’re compliant with the terms of the guarantee? Yes, we are awash in data these days, but do you have someone on staff who can effortlessly and instantly call that data up? What if your findings are disputed? Yes, if you can conduct an effective forensic investigation you might be able to pinpoint a failure…but who covers the cost of the investigation? What if, in trying to claim that $100,000 guarantee payout you have to spend $500,000 over six months?
- Fine print. A guarantee isn’t really useful to a customer if it is so heavily lawyered-up that it would be useless to file a claim. An example Richard points out in his post: If someone manages to overcome a defense via a sufficiently novel approach, the vendor isn’t liable for that because it is not a ‘failure’ on their part. Yet a sufficiently resourceful and motivated attacker isn’t going to break a window or kick in a door – where he knows the alarm system sensors are – he’s going to take a saws-all to a wall and walk through the studs.
Competent practitioners can and should take pride in and stand by their work, but there are far too many factors involved in “securing” a thing than can be identified, calculated and accounted for such that a guarantee would be both meaningful and valuable to both parties. Let’s be frank: nothing is coded to be secure; it is coded to be functional. Functionality and utility are what people are willing to pay for, security is what they are forced to pay for. Not the same thing.