Thursday, October 26, 2006
A Challenge to Open Source Vendors...
I am firm in my belief that we as an industry need to build security into each and every product we develop. It seems as if magazines such as Infoworld can provide lots of coverage on patch management and the Microsoft bug of the day but won't lift a finger to publish thoughtful articles on how we can improve the software development lifecycle in not only software companies but corporate America in general to ensure that all software developed is secure.
What would happen if we had organized a big fat code review day where everyone reading this blog agreed to first learn what secure software looks like and then were sent out on a mission to find holes in open source software? Maybe vendors such as ouncelabs and Fortify may be willing to freely contribute copies of their software for this undertaking?
Even if these vendors are solely focused on short-term revenue at the expense of letting a larger population understand their value proposition, there are people who really will look at code for security problems with or without a tool. There are altruistic types who simply want to see a safer world, but most people who do this are trying to promote themselves or their company. Either way, both groups want to make the biggest impact possible, and as a result, what tends to attract the eyeballs in the open source world is the popular, widely adopted software.
Most of these people who look for security problems will start by looking for the low-hanging fruit, focusing on the potential problems that could have monumental impact. In practice, this means that people tend to look for straightforward instances of common problems such as buffer overflows, format string problems, and SQL injection.
Less sexy risks tend to get ignored completely. For instance, plenty of open source programs use SSL improperly and are subject to network-based eavesdropping and tampering attacks (a problem I'll explore in more detail soon). People who publish security advisories aren't really publishing risks like this. This happens because folks are far more interested in finding more immediately demonstrable problems. After all, we understand that most folks would love to participate in security but simply don't have the brain power necessary.
Ignoring the commercial tool offerings for a minute says that maybe the open source community needs to create their own tools to help themselves. There is actually an opportunity in that most products attempt to scan in a black box fashion which only finds superficial errors. The problem with black-box testing for security is that most programs are complex and have states that an automated crawler isn't likely to find. Security problems are often buried in complex systems. Finding them with such an approach would require heavy user interaction to put the system into a large number of different states.
So, I have lots of respect for the contributors of Alfresco, Intalio and ServiceMix but I too have no clue as to what is done to ensure that not only functionality works as advertised but is secure. I know the folks that contribute to Liferay have ensured that Liferay Enterprise Portal is certified as being more secure than their commercial offerings. Wouldn't it be more interesting if say Alfresco were deemed more secure than Documentum and/or Interwoven?
It would be really cool if Intalio proved out its offering was more secure than say Pega or Lombardi. I suspect this would light a fire under many BPM vendors and step up to the challenge. In fact, I suspect he would actually become the first BPM vendor to fully embrace the XACML specification.
Even though the blogosphere and pretty much everyone in corporate America understands that ServiceMix benchmarks faster and supports more industry standards than Sonic or CapeClear in the ESB space, the two big analyst firms: Gartner and Forrester don't seem to cover this fact. I wonder what would happen if ServiceMix also got its code certified as being more secure and implemented XACML. Would this but ServiceMix into the leaders quadrant or would the Gartner and Forrester analysts continue to ignore its value proposition?