Looking back at the year 2005

Browsing through old stuff I ran into a document of the year 2005. It is not out of nostalgia (primarily) that I keep old stuff, just stuff that looks good enough to keep, and sometimes I am spot on. The topic of the old document is a high level view for improving the state of security.

In no particular order the following items were the main focus points:

- "compliance [is the] main driver for many new security initiatives"

- "Risk driven assessment [based on] realistic scenarios, proven countermeasures, standards based"

- "[The] end of perimeter-only protection"

- "Integration [of security] in the Software Life Cycle"

It feels like it was only yesterday that I wrote or read these in some blog post. What has or hasn't changed?

What is the state of application security?

The ground rule is the same: embed security in all aspects of development. The principle of moving left in the processes still stands: the earlier you start embedding security, the less it will cost and the better the end result.

The complexity and the parameters to deal with have changed. The waterfall model still exists, yet, it is less popular. Iterative approaches are gaining traction, sometimes with aggressive timings (agile development, devsecops, …). They require embedding enhanced security competence in all persons involved in development from concept to delivery. There is insufficient time for depending on external expertise availability for every step.

One should add AI supported development as a new opportunity and concern. These systems should follow secure coding guidelines in some way, embedded or post processing. The complementary part, application scanners, should embed AI driven features and be embedded in the processes.

The end of perimeter[-only] protection

Perimeter-only protection is insufficient. That is absolutely and completely actual today, for the same reasons it was in 2005, and now also for the complex value chains reaching across company and country borders, for both processing and data storage. Zero-trust is a well-known slogan these days.

Zero trust does not mean giving up perimeter protection. Even if it is "only" 80% effective, it makes a big difference. Layers of good, not perfect, security keep their value. Having a vault does not mean you just let burglars enter your house without effort and no risk of detection.

Are there any fundamental changes in compliance and risk management?

Risk-driven security, another point from 2005, is repeatedly advised by consultants and other well-meaning security professionals. Compliance rules. Other initiatives are ok when there is budget left.

Just like in 2005 risk driven security is hard. We can assess the impact of an event with some accuracy., however, the probability of the event occurring is were the trouble starts. People are bad in determining probability. A single event like the elections leading to a surprise trashes most predictions of the future. The past is a poor prediction of the future: if my car runs fine for 20 years I might wishfully think it is guaranteed to run smoothly for another 3 years. How do we get reliable probabilities?

The chances of anything coming from Mars
Are a million to one, he said
The chances of anything coming from Mars
Are a million to one, but still, they come
The Eve of the War, Jeff Wayne, 1978

20 years from now?

It still is very true that compliance is driving security departments spending and resources. There are more and also more elaborate regulations to comply with. The consequences of failing an audit have become more serious. The pursuit of auditor happiness remains a top priority, consuming most of the budget.

The baseline for your business is complying with all regulations. It is possible to both lower and higher the bar, from a business perspective. If the cost of non-compliance is lower than the cost of the controls required to be compliant there is a temptation to take the risk.

Paying for short time parking is linked to the likelihood of being controlled and the fine that you would get. Speeding may result in some tickets that could be considered an acceptable price for your time. This is the pure financial viewpoint. For the case of the parking ticket, it is mostly a financial discussion: you take the parking spot whether you pay or not. For the speeding, the situation is very different. Speeding increases the risk for you and other traffic. Injuries and lives are more important than money. An indirect, very selfish, motivation may be loosing your driver license, even if that is a lousy motivation.

Consider the case of ransomware. The controls to prevent it are expensive. You may be inclined to reduce the risk, without going all in. For the remaining risks, you take an insurance, or you accept to pay the ransom if needed. The latter is understandable, yet questionable. It is very close to protection money payments: it may be financially better for you in the short run, while at the same time rewarding criminal activities and makes the perpetrators stronger and more motivated.

Making a deal with the criminals might also look attractive if you can avoid reporting the breach and the business impact of such public exposure. Tempting, but it is likely a crime today, for good reasons.

A fundamental weakness in compliance are those requirements that are based on "values". Take a very specific case, the data protection regulation (GDPR). It depends completely on the value given to privacy, with the EU taking a strong position in favour of its protection. Other places in the world may discard and ignore the GDPR. Complying with GDPR is not for free. It could be seen as a competitive disadvantage.

Conclusion

Building secure systems still is hard and secure-aware builders are still a minority. The dreaded penetrate-and-patch loop pops up too often. The discussion to only protect the perimeter, or every system is responsible by itself, is the wrong one. What to protect and how must be risk-driven. If only this were easy... Today, regulation and oversight and requirements to report are under fire. Compliance costs too much, it is overly complex, it does not provide sufficient added value, … Improve it, don't throw it overboard.

Probably 20 years from now, the same discussions are likely. There will be new systems, new threats, new risks and new people with the good old vulnerabilities and traps: a bad mixture. (shameless plug to keep old guys in the loop)