Sunday, May 10, 2009

CyLab Business Risks Forum: Gary McGraw on Online Games, Electronic Voting and Software Security

"...take a look at the work that Brian Chess and I talked about at RSA, called the BSIMM. Our insight was very simple. We said, 'You know, there are people that have been doing software security for a decade, why don't we put on our anthropology hats, go out into the field and describe what we see.' We did an observation-based model ..." Gary McGraw on Building Security In Maturity Model (BSIMM), developed by Cigital and Fortify

CyLab Business Risks Forum: Gary McGraw on Online Games, Electronic Voting and Software Security

The CyLab Business Risks Forum is an virtual group of subject matter experts in business and government I have established to further inform and enrich the online content, both for CyLab's public site and for its partners-only portal.

These subject matter experts are tapped for the monthly Business Risks Forum events that supplement the ongoing CyLab Seminar Series. Their compelling talks are accessible on-line to CyLab's corporate partners; and from time to time, I publish "CyLab Seminar Series Notes" here on CyBlog. The insights of Business Risks Forum experts are also found in my Intelligence Briefings and Culture of Security features, and in the quarterly CyLab Focus, all available via the partners-only portal.

In addition, here on CyBlog, I will be posting interviews with individual Business Risks Forum participants, e.g., this one featuring Gary McGraw, as well as virtual Roundtables engaging several participants on a common theme, e.g., CyLab Virtual Roundtable on Cyber Security News Media.

As mentioned in RSA Conference 2009: Want to Play a Game? Gary McGraw & Expert Panel Explore the "Edge of Technology," although the whole of the conference was abuzz with babble about "Cloud computing," perhaps the most important insight came from Gary McGraw, CTO for Cigital, and author of several worthy tomes. His latest book, Exploiting On-Line Games (Addison-Wesley, 2007), co-authored with Greg Hougland, was also the subject of a panel McGraw led at RSA 2009.

In his opening remarks, McGraw declared “what we are talking about is the future of software security.” There are so many people out on the exhibit hall floor hawking the so-called Cloud, “even though they have no idea what it means.” But online games are massively distributed systems. “They put nine gigabyte globs in everybody’s box.”

I made a note to follow up with McGraw for the CyLab Business Risks Forum.
We caught up recently and asked him to expand on his comment, as well as to weigh on in some other vital issues.

-- Richard Power

Richard Power, CyLab: What does your work on the exploitation of on-line games tell us about "Cloud computing"? What lessons are there to be learned?

Gary McGraw, Cigital: “Online games, like World of Warcraft (WoW), are massively distributed. They have fat clients, millions of them, and server farms that are all over the planet. And it is what, in marketing land, we are calling Web 2.0, or ‘Cloud computing,’ or flavor of the day. So if we want a case study of the future, we need look no father than on-line games. If we understand what is going on with security, and cheating, and economics, and the law, and the technology concerns, all at the same time, we have a very small but important crystal ball.”

Power: So the bigger issue that you just framed there is that these are massively distributed systems, so this is not just cheating in games, it is what is opened up to outsiders about an individual's or organization's computing space?

McGraw: Yes, and let's get one notch more specific. My work usually concerns itself with software security. And in this case, those people who architected the games overlooked a very important and fundamental security idea: trust boundaries. They forgot, or overlooked, the notion that when you put code outside the trust boundaries on your potential attacker's machine, you shouldn't be surprised when your potential attacker becomes a real attacker. In distributed systems, it is hard enough to get it right when everybody is on the right side of the trust boundaries, or there are no trust boundaries. In this case, there are incentives for bad people to make a real trust boundary, and if you do not take that into account during your design, you get yourself in trouble.

Power: Are you getting recognition on this issue from developers in the game space?

McGraw: Not so much. We are doing some work with some game companies, and helping them with software security issues. My book, though, is aimed more at software security practitioners, in general, than it is at game developers. The game developers should solve their problems, and they are interested in this work and thinking about it, but I want the lessons to apply to all sorts of others. In the front matter of the book, there are quotes from various people, and one of my favorite ones is from someone in the US Air Force, who says "Gosh, massively distributed systems are the future, and for the next 25 years, they're going to be what we have to work on, so understanding this work means getting a leg up on that knowledge you are going to need."

Power: One area of cyber security that has been of great personal interest to me for a decade is electronic voting. And I know you have done some work in this area as well. So let's move from games to perhaps the most important thing in the life of a democratic society.

McGraw: Actually, I think it is the second most important thing -- the most important thing is individual liberty, and freedom from surveillance and from "pretend security." So "No Tyranny!" is number one, and voting that works is number two.

Power: OK, the phrase is too tempting, tell us about "pretend security."

McGraw: Well, maybe not "pretend" but "ineffective." Let me give you an example: when you walk outside the door in the UK, you are on camera. And it is not clear that being on camera all the time puts a serious dent in either crime or terrorism. So what you are trading off is your own personal liberty about where you are, who you are talking to and what you are doing for some "pretend security." That sort of thing I am just vigorously opposed to. ...

Power: So then, on to number two, the sanctity of the vote. I was concerned about this before the 2000 election. In the 1990s, I had a file I called "Security Breaches Waiting to Happen," I filled it with articles I teared out of IT business magazines. Each article in the file extolled the virtues of some coming application. I kept them on file so that I could refer back to them as each of these virtues were revealed to carry hidden vices. None of them concerned me more than the notion of electronic voting, particularly because of what we know about the lack of software security that goes into the development of such applications.

McGraw: Electronic voting is not something that I have been involved in intentionally. The reason for that is that you can't escape the politics. Unfortunately, it has very little to do with either the prophecies or the technologies. Getting these machines adopted or rejected turns out to just be a political exercise. ... The work of people like Jeremy Epstein, Avi Ruben, Ed Felton and others who have been very active is very important and we should pay attention to it. To me, the most important issue of all is an audit trail that you cannot tamper with. How you get that audit trail I do not really care ... I live in Clarke County, Virginia, and Clarke County has just a few thousand people. My friend Chip was running for the School Board and he lost by one vote. Something like 612 to 613. There were maybe 14 write-in votes. There was one accumulator. The way the recount went was "well, yesterday, the register said whatever, 607, and today it also says 607." Now that is the stupidest recount I have ever heard of. That is disconcerting. Frankly, I would rather have big arguments over hanging chads, because then you have a big pile of paper to look at.

Power: Have we made any progress?

McGraw: I think we have. California has decertified the worst of the worst. That's progress. And the way California goes, the rest of the nation follows eventually. ... I do not even know my registrar's political affiliation, and it does not matter. What does matter is that she chose that machine. And when I said, "hey, you know this machine has some problems, and here is a paper my friend Avi wrote," she got really angry. I said, "this is not about you, this is about technology." So even locally, it is political. Someone has made this decision, and it makes them embarrassed to admit that it is a piece of crap. ...

Power: So our conversation has moved from online games to electronic voting, and this just hints at the scope of the overarching issue, i.e., software security. Are we progressing? Are we spinning our wheels? What should vendors be doing differently? What should academic programs be doing differently? Perhaps the most important question is whether or not this is a field that can be formalized or a more of a gestalt?

McGraw: That is a good question, and a very important one. We have made obvious and heartening progress over the last decade. You may recall I wrote a book called Building Secure Software in 1999. At that time, the goal was to convince people that software security was important and that they should be talking about it. Ten years later, everyone is talking about it, and people are starting to wonder what we should do about it. In 2006, there was a wave of "what you should do about it," including my book Software Security and Howard and Lipner's book about the SDL ... At that point, you could follow one of the religions, or make up your own religion, or whatever. But basically you were cutting new ice on how to substantiate a culture of software security inside your large company. Well, fast-forward another three years, and take a look at the work that Brian Chess and I talked about at RSA, called the BSIMM. Our insight was very simple. We said, "You know, there are people that have been doing software security for a decade, why don't we put on our anthropology hats, go out into the field and describe what we see." We did an observation-based model, we said things like "monkeys eat bananas." Notice that the phrase "monkeys eat bananas" does not say whether it is good or bad, it does not say what color the bananas are, or whether or not the monkeys eat them while running, or steal them from one another. All it says is one observable fact. We tried very hard in the BSIMM to do the same thing. So we are not making value judgments about you should do software security, what we are doing is making clear observations about how ten very successful companies that have large scale software security initiatives have done it. I think that is the next phase of moving software security from religion to science, from alchemy to science. And I am very pleased now only with the fun we had making the work, and the gracious response we got from all of the participants, but also the response from the entire community. Whenever I present the work, it is just astounding. I am hugely optimistic that we are making some great progress, and that people are recognizing that and that they are hopping on board. It is a pretty exciting time.

Power: What does Cigital do?

McGraw: We are the largest software security consulting firm on the planet. We have offices in New York, Boston, Silicon Valley and in Virginia, near Washington, D.C. We have about a hundred twenty people. We provide all sorts of software security and software assurance services. And these services start at the most strategic level with helping people to formulate and then execute large scale software security initiatives. Some of the people in the BSIMM, but not all of them, are our customers, and we helped them set up their software security initiatives. We also help people do the nuts and bolts stuff. If people need to figure out how to review ten million lines of code, we will help them pick the tools, make the tools work, make it work automatically, integrate it with their bug tracking system. We do almost everything from the strategy of how to train your people and evolve a program all the way to penetration testing and code review.

Related Posts

Silver Bullet: Gary McGraw Interviews Virgil Gligor on Software Security and Other Vital Issues

RSA Conference 2009: Want to Play a Game? Gary McGraw & Expert Panel Explore the "Edge of Technology"

Fortify & Cigital Release BSIMM -- Integrating Best Practices from Nine Software Security Initiatives

CERT Podcast Series -- An Experience-Based Maturity Model for Software Security