Thursday, January 22, 2009

Alignment of Interests in Web Security

John Dean, former Chairman & CEO of Silicon Valley Bank and one of WhiteHat Security’s earliest investors, shared some wisdom with me years back that I rely upon every day. “Interests must be in alignment,” he said. Meaning that for an effort to be successful everyone must pull in the same direction and be incentivized accordingly. In sales for example, revenue quotas motivate personnel to achieve higher pay. Postal mail delivery deadlines reward drivers who complete their routes quickly by allowing them to go home early. Even software development groups sometimes have compensation tied to release dates or defect reduction. Failure to meet objectives may result in employee write-ups, missed promotions, or dismissal. Alignment-of-interests encourages stakeholders to work efficiently together towards a common goal. When approaching Web security, the landscape is littered with conflicts-of-interest. Before discussing a few of them lets briefly look at the current state through some recently published reports.

"82 percent of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.”

WhiteHat Security (Sixth Quarterly Website Security Statistics Report 2008)

"60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008."

Websense security Labs™ (State of internet security -Q1 – Q2, 2008)

"From 2006 to the first half of 2008, vulnerabilities affecting Web server applications accounted for 51 percent of all vulnerability disclosures."

IBM Internet Security Systems (X-Force® 2008 Mid-Year Trend Statistics)

“Invisible threats” (such as hard-to-detect infections of legitimate websites) are making common sense and many traditional security solutions ineffective."

Cisco (2008 Annual Security Report)

"As a result of these considerations, Symantec has observed that the majority of effective malicious activity has become Web-based: the Web is now the primary conduit for attack activity."

Symantec Internet Security Threat Report (Trends for July–December 07)

The poor state of Web security is well-known to industry insiders, security experts, academics, and malicious hackers. Scores of brilliant minds all over the world have spent their careers developing technology solutions, backed by hundreds of millions (billions?) of dollars in venture capital, only to witness the problem steadily worsen. Its not that we don’t know how to secure a website. We do! We know how to harden operating systems, lockdown Web servers, encrypt data transactions or disk storage, develop secure Web applications, and so on. We have been unsuccessful not because of a shortage of good security products, too few qualified professionals, ineffective standards, or the lack of a cabinet level cyber security czar. The culprit is a lack of business drivers. Those in the best position to provide security are not necessarily those who suffer the losses, and those who suffer the losses are often incapable of doing much to protect themselves.

For example, why isn’t every packet of Web traffic encrypted with SSL? Doing so would improve defenses against phishing scams, passwords being stolen, and online actions being spied upon. However, SSL adds performance overhead causing websites to slow down and negatively affecting the user experience. Solving these issues costs money. Not to mention the fact that SSL hinders governments and ISPs ability to monitor what we do online. So security, our security, is sacrificed for performance and surveillance. Removing or default-disabling IFRAME and a few other features from Web browsers would do a lot to slow or stop the spread of drive-by-downloads exploits, which are now a leading cause of malware propagation. However, browser vendors are quick to point out that doing so would “break the Web.” That is not exactly accurate. More precisely, it would break the multibillion dollar online advertising revenue model that relies upon IFRAMEs. So again security, our security, is sacrificed for banner ads and social network Web widgets.

As Bruce Schneier (CTO of BT Counterpane) has said, security is about tradeoffs. We may trade money, convenience, privacy, liberty, etc to obtain a certain level of security. The unfortunate thing about Web security though is the tradeoffs are made without the knowledge of the Web user who is largely and personally affected. For the most part they remain oblivious to the myriad of significant risks they are exposed to online, so tradeoffs are made on their behalf by the powers the be, often conflicting with their best interests. Imagine if they were aware that each website they visited, legitimate or otherwise, could uncover what other sites they’ve visited, where they are logged-in, could force them to criminally hack other websites or download illegal content, and spy on them by hijacking their webcam and microphone. Things all possible, if not easy, without the need to compromise their machine, which remained entirely likely. Web users are now beginning to realize something is up and this realization is having a business impact on the bottom-line.

Security compliance standards, such the Payment Card Industry’s Data Security Standard (PCI-DSS), attempt to bring interests into alignment by compelling business to implement certain safeguards or risk disciplinary action -- mostly fines or threats to halt operations. Security vendors love strongly enforced compliance standards as it frees up budget for their solutions, which may not reduce risk, but have to be purchased to satisfy a checkbox. While good at raising awareness, security standards also tend to be slow moving with a one size fits all approach. As such they are unable to efficiently address a fast changing threat landscape in which each constituent’s risk tolerance can be wildly different. Finally, standards can also be circumvented, especially when auditors with flexible ethics are incentivized to rubber stamp anything so they return another day to earn another buck. The U.S. mortgage industry faced an identical problem when credit rating agencies assign a good-as-gold “AAA” rating to high risk deals in order to receive large commissions. When interests are not in alignment we all can suffer.

How do we get the owners of 187 million websites, 17 million developers, browser vendors, universities, governments, ISPs, compliance auditors, and security researchers all to pull in the same direction towards a more secure Web? How do we get interests into alignment? This is the fundamental question we need to be asking ourselves. Admittedly, I have more questions than answers, but what I do know is all the stakeholders must be accountable to someone else for the system to work. Ultimately we have a software security problem and with proper accountability we’d be able to achieve alignment of interests to justify doing the things we already know work. Business would seek to procure software that has attained a certain level of security assurance before deployment. Organizations developing software would give preference to those with the skill set to do so. Software developers would seek to further there own education and increase their employment outlook through studying security principals. Education institutions would be compelled to add more and better security curriculum to attract more students. Alignment of interests is the answer.


Anonymous said...

Unfortunately, the "multibillion dollar online advertising revenue model" doesn't rely on IFRAMEs, it rather relies on third-party scripts. And while IFRAMEs represent a security boundary there is nothing holding back a third-party script from doing something malicious. So if you manage to change all existing browsers at a time, please remove support for third-party scripts rather than IFRAME. Problem is, there are in fact many big sites that break if you have the filter "*$script,third-party" in Adblock Plus...

Jeremiah Grossman said...

@Wladimir: Granted, no objection. However, I didn't want to spend too much time explaining the painful details in that specific instance as it distracts from the larger point. The point being that those who could do the things as you suggested, allowing the user more security control, would run counter to where the dollars flow.

ark0n said...

Well said. When one has private enterprise engaged in self regulation, even through the auspices of "neutral" third party auditors, the issues you bring up are only magnified. It seems that history has shown that QSA's tend to be more flexible when their business is intertwined with the merchant they are auditing. Just look at the largest CC breaches as an example.

Anonymous said...

Jeremiah, I like your points on achieving alignment. These are things we need to think about every day when discussing security and risk management with others.

I propose the idea that everyone is incented differently. Some CEOs care about brand, others about cost, marketability, impact on revenue, and still others will never care.

Companies are always trying to identify what will incent their clients. Consultants look for ways to incent their customers. Industries try to incent the participants. Herding cats suddenly sounds fun. I like your question of how do we change the world (with you, it's web security.)

Thinking big is the best path the an effective solution. I don't have specific answers but I'm glad you're asking.

Jeremiah Grossman said...

@ark0n, the other largely unspoken tragedy is how much time/money the merchants waste. Resources perhaps better spent elsewhere, but that are now spoken for.

@Mike, for myself and my business... I ask that question in every aspect, mostly outside of web security. Who is doing what and for what reason. When things go awry, it tends to be because interests were not in alignment and adjustments need to be made. Its just nature law I guess in many ways.

Cd-MaN said...

The situation is even worse :-(. Those who want to implement, get it most times wrong. I did a quick check ( ) and it seems that less than 5% (!!!) of the sites which are using SSL are using it correctly :-(

Dave Aronson said...
This comment has been removed by the author.
Dave Aronson said...

BTW, Schneier has also been pointing out incentive misalignment for quite some time.

Jeremiah Grossman said...

@davearonson indeed he has! And I'm seeing strong examples of it all over Web security, my playground.

Mark Linton said...

My opinion is that when we talk about incentive misalignment we are talking about consumers choice regarding the services and ensuring that security considerations are main part of those choices.

To do this effectively these consumers must be educated properly regarding what security means to their choices and be capable of applying this knowledge when utilizing services.

In my opinion to do this effectively, we (collective) must establish a reliable and consistently applicable description of what secure is. Some people have tried to establish these definitions (have a look at trust-guard) by selling this as a service, which has the correct intentions but can't be implemented in a meaning-full way.

If you look the auto-industry and the safety/security of the vehicles we drive, in the US we have who establish common semantics and methods of educating the public regarding the safety of vehicles created.

The US also has legislation and benchmarks for testing the safety of automobiles.

What we need is to establish a similar framework for the protection of information, to define requirements and standards for protection, independent objective evaluation and publication of services against these standards, and disclosure of failures of services which result in loss.