John Dean, former Chairman & CEO of Silicon Valley Bank and one of WhiteHat Security’s earliest investors, shared some wisdom with me years back that I rely upon every day. “Interests must be in alignment,” he said. Meaning that for an effort to be successful everyone must pull in the same direction and be incentivized accordingly. In sales for example, revenue quotas motivate personnel to achieve higher pay. Postal mail delivery deadlines reward drivers who complete their routes quickly by allowing them to go home early. Even software development groups sometimes have compensation tied to release dates or defect reduction. Failure to meet objectives may result in employee write-ups, missed promotions, or dismissal. Alignment-of-interests encourages stakeholders to work efficiently together towards a common goal. When approaching Web security, the landscape is littered with conflicts-of-interest. Before discussing a few of them lets briefly look at the current state through some recently published reports.
"82 percent of websites have had at least one security issue, with 63 percent still having issues of high, critical or urgent severity.”
WhiteHat Security (Sixth Quarterly Website Security Statistics Report 2008)
"60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008."
Websense security Labs™ (State of internet security -Q1 – Q2, 2008)
"From 2006 to the first half of 2008, vulnerabilities affecting Web server applications accounted for 51 percent of all vulnerability disclosures."
IBM Internet Security Systems (X-Force® 2008 Mid-Year Trend Statistics)
“Invisible threats” (such as hard-to-detect infections of legitimate websites) are making common sense and many traditional security solutions ineffective."
Cisco (2008 Annual Security Report)
"As a result of these considerations, Symantec has observed that the majority of effective malicious activity has become Web-based: the Web is now the primary conduit for attack activity."
Symantec Internet Security Threat Report (Trends for July–December 07)
The poor state of Web security is well-known to industry insiders, security experts, academics, and malicious hackers. Scores of brilliant minds all over the world have spent their careers developing technology solutions, backed by hundreds of millions (billions?) of dollars in venture capital, only to witness the problem steadily worsen. Its not that we don’t know how to secure a website. We do! We know how to harden operating systems, lockdown Web servers, encrypt data transactions or disk storage, develop secure Web applications, and so on. We have been unsuccessful not because of a shortage of good security products, too few qualified professionals, ineffective standards, or the lack of a cabinet level cyber security czar. The culprit is a lack of business drivers. Those in the best position to provide security are not necessarily those who suffer the losses, and those who suffer the losses are often incapable of doing much to protect themselves.
For example, why isn’t every packet of Web traffic encrypted with SSL? Doing so would improve defenses against phishing scams, passwords being stolen, and online actions being spied upon. However, SSL adds performance overhead causing websites to slow down and negatively affecting the user experience. Solving these issues costs money. Not to mention the fact that SSL hinders governments and ISPs ability to monitor what we do online. So security, our security, is sacrificed for performance and surveillance. Removing or default-disabling IFRAME and a few other features from Web browsers would do a lot to slow or stop the spread of drive-by-downloads exploits, which are now a leading cause of malware propagation. However, browser vendors are quick to point out that doing so would “break the Web.” That is not exactly accurate. More precisely, it would break the multibillion dollar online advertising revenue model that relies upon IFRAMEs. So again security, our security, is sacrificed for banner ads and social network Web widgets.
As Bruce Schneier (CTO of BT Counterpane) has said, security is about tradeoffs. We may trade money, convenience, privacy, liberty, etc to obtain a certain level of security. The unfortunate thing about Web security though is the tradeoffs are made without the knowledge of the Web user who is largely and personally affected. For the most part they remain oblivious to the myriad of significant risks they are exposed to online, so tradeoffs are made on their behalf by the powers the be, often conflicting with their best interests. Imagine if they were aware that each website they visited, legitimate or otherwise, could uncover what other sites they’ve visited, where they are logged-in, could force them to criminally hack other websites or download illegal content, and spy on them by hijacking their webcam and microphone. Things all possible, if not easy, without the need to compromise their machine, which remained entirely likely. Web users are now beginning to realize something is up and this realization is having a business impact on the bottom-line.
Security compliance standards, such the Payment Card Industry’s Data Security Standard (PCI-DSS), attempt to bring interests into alignment by compelling business to implement certain safeguards or risk disciplinary action -- mostly fines or threats to halt operations. Security vendors love strongly enforced compliance standards as it frees up budget for their solutions, which may not reduce risk, but have to be purchased to satisfy a checkbox. While good at raising awareness, security standards also tend to be slow moving with a one size fits all approach. As such they are unable to efficiently address a fast changing threat landscape in which each constituent’s risk tolerance can be wildly different. Finally, standards can also be circumvented, especially when auditors with flexible ethics are incentivized to rubber stamp anything so they return another day to earn another buck. The U.S. mortgage industry faced an identical problem when credit rating agencies assign a good-as-gold “AAA” rating to high risk deals in order to receive large commissions. When interests are not in alignment we all can suffer.
How do we get the owners of 187 million websites, 17 million developers, browser vendors, universities, governments, ISPs, compliance auditors, and security researchers all to pull in the same direction towards a more secure Web? How do we get interests into alignment? This is the fundamental question we need to be asking ourselves. Admittedly, I have more questions than answers, but what I do know is all the stakeholders must be accountable to someone else for the system to work. Ultimately we have a software security problem and with proper accountability we’d be able to achieve alignment of interests to justify doing the things we already know work. Business would seek to procure software that has attained a certain level of security assurance before deployment. Organizations developing software would give preference to those with the skill set to do so. Software developers would seek to further there own education and increase their employment outlook through studying security principals. Education institutions would be compelled to add more and better security curriculum to attract more students. Alignment of interests is the answer.