Monday, June 7, 2010

A bit of deep thought.

A couple of weeks ago Michal Zalewski wrote a guest post for Ryan Naraine over on the ZDNet Zero Day blog.  It stirred up some conversation, but I wasn’t going to comment on it until I hung out with the Pauldotcom crew for their 200th episode extravaganza and Hackers for Charity fundraiser.  The post and responses came up, and after a little deep (beer-induced) thought, I decided to share a few thoughts, and offer links to a variety of responses.

First, I almost skipped the post, the first sentence lost me:

“On the face of it, the field of information security appears to be a mature, well-defined, and an accomplished branch of computer science.”

Seriously?  Anyone who thinks that is clearly delusional.  But I know the Michal is not, he is brilliant, and Ryan encouraged me to read the entire post.  So, I did.  Even though the rest of the first paragraph really isn’t much better:

“Resident experts eagerly assert the importance of their area of expertise by pointing to large sets of neatly cataloged security flaws, invariably attributed to security-illiterate developers; while their fellow theoreticians note how all these problems would have been prevented by adhering to this year’s hottest security methodology. A commercial industry thrives in the vicinity, offering various non-binding security assurances to everyone, from casual computer users to giant international corporations.”

I am not sure how someone Michal’s age attained that level of cynicism, but it is impressive.  He goes on to say we have had no successes in software security, elegantly define the problems in a few ways, and then leave us there.  Michal appears to be making the kind of assertions that triggered my last post, I think he could really use a bit of perspective.  But enough of that, if you are interested in an interesting look at software security from a variety of perspectives check out the following links.  Note: these are some seriously smart folks, It often takes me a couple of passes at some of the ideas to get it.

Michal’s original post is here.

Amrit Williams has a great response here.

Ivan Arce responded here.  Ivan is crazy smart, and this is a thorough response.  It may take a little digesting to grasp Ivan’s points.

David Mortman has a great follow up post here.

Michal has a follow up to his post on his blog, including some comments, and links to a few responses (including some of the above).

It is an interesting series of posts.  But remember, nothing you read in any of them changes the fact that tomorrow is “Patch Tuesday”, with all the baggage that brings.  So keep a little perspective as you read the installments of this little drama.