Open Source Security
Welcome at » 2016 » April

SecurityWeek just published my latest article “No Exit: The Case for Moving Security Information Front and Center“. “No Exit” is a reference to Sartre‘s existential play where three people wind up locked in a room together for eternity driving each other crazy. They are in hell. They represent developers, QA, and security people for the purposes of this article (or three random devops guys, your choice).

After I wrote this, I read Josh Bresser’s take on the state of cybersecurity education and I think he makes a great point that we really need someone to study why we are failing so badly.

At some level, we haven’t solved the (unsolvable) problem of physical security either and I think that the analogy between cybersecurity issues and physical security issues is not the worst. As a society, we need to decide the level of acceptable loss and then set our spending to correspond to the level of security that we can live with. I just hope that it is a little better than we are currently doing.

P.S. For the record, I am a member of OWASP and a huge fan of the work they have done.

Security Week has published an article that I wrote called, “Establishing Correspondence Between an Application and its Source Code; How Combining Two Completely Separate Open Source Projects Can Make Us All More Secure“. I would love to see this concept come to fruition. IBM Research has had a long term vision for enabling this type of integrity which, years after I first heard about it, still astounds me how far ahead of their time they were and how durable their vision has been. The Debian Reproducible Builds project likewise amazes me because the leaders fearlessly took on a huge mountain of work and are making it happen. The glue piece is still missing. Someone will need to stand up and be willing to sign the file hashes with a recognizable and valuable key but we are inching closer to having the technology to ensure the integrity of the delivery chain between code and executable process. Yeah, yeah, yeah, there is still the problem of trusting the compiler and realistically being able to audit the source code, but solutions to the former problem have been posited and tools and techniques exist to deal with the latter (if you care enough to do it). We are inching closer.