Secure Software: Just a Dream?

Mike Rothman and RSnake at Dark Reading are in agreement about software needing to be more secure. I think every security expert will agree. I think every software developer may also agree. 

Despite the common interests among experts for secure software, software will never be secure enough. The business case for secure software is about as compelling as the business case for no false positive anomaly intrusion prevention. While Schneier’s Prospect Theory and his angle on behavioral analysis is interesting, I think a more apt behavioral metaphor is Prisoner's Dilemma. 

In prisoner’s dilemma there is a negative incentive for undermining a fellow prisoner (“competitor”) and a positive premium for working jointly (in the form of a lighter sentence for both). One would think that rational behavior would prevail and that the interviewed prisoner’s would support each other in exchange for getting a lighter sentence.

Back in my grad schools days I dabbled in cross-cultural research into culture and cooperation in various Middle Eastern cultures. I ended up changing my thesis topic because I couldn’t get enough volunteers. Even in the 80s, before 9/11 and the chain of high profile events between a fragmented West –and a panoply of influential Middle Eastern tribes/clans striving to maintain their enriching status quos- there was so much suspicion that I couldn’t entice college students studying in the US to even participate in a game theory study.

In the security business, there is a premium for undermining the status quo, and this premium goes well beyond hackers and angry insiders and the various cottage industries that have monetized imperfection. Software developers and security pros to some extent are also involved in a paradox at best and possibly a Prisoner’s Dilemma-style quandary at worst: symptoms are more profitable in the short term than cures.

Earlier this year I talked about Oracle's (ORCL) security paradox and its impact on a growing market for database security appliances. In short, software companies monetize security by using it as a basis for buying upgrades/renewals. Despite the best intentions internally, the software developers will never spend enough money or time to deliver completely secure software, even if it was possible.

The security industry would also shrink dramatically if there ever was secure software. Sorry Mike, but there is no getting ahead, just the dream of progress. Secure software would be devastating for a sizable ecosystem of publications, analysts, vendors, hackers and even security pros to a lesser extent. Those audiences have sizable resources, very focused interests and are not likely to cooperate beneath the layers of lofty rhetoric and proclamations and sponsored RSA keynotes.

Recently virtualization vendor Citrix (CTXS) even washed its hands when it came to virtsec, even as it posed an opportunity to increase data center adoption. They didn’t see the business case for protecting VMs, even if it gave them an opportunity to leap frog VMware (VMW) into production deployments. And why should they step up and fill the void created by the hypervisor layer and legacy software mutating and moving under the netsec radar?

Getting the upper hand on VMware in security would translate into hefty valuation premiums, yet both Microsoft (MSFT) and Citrix would rather wait for VMware to slip than try to compete with VMsafe. VMware thusly has been the only player to talk about security as a business case and opportunity, despite the obvious benefit to Microsoft and Citrix of using security to enhance data center adoption. Again, the pattern suggests game theory is at play versus rational big picture “common interest” decision-making.

One could argue that the virtsec market is small right now because enterprises are accepting a lower payoff in terms of flexibility and consolidation in exchange for maintaining their security profile. As the rationalization goes, their netsec gear doesn’t have to see into the hypervisor (and protect VMs from one another) because they’ll isolate zones of hypervisors with similar security profiles. I would call this “Back to the Future” model the most common first step of production virtualization. Maybe it’s “virtualization-lite”.

I predict that this model will dominate until there is a well-publicized attack that generates a flurry of analyst queries, “my-o-my” feature articles and solution bake-offs and fast purchase orders for the lucky vendors who timed the market. In the same way that the anti-virus market took off after a notorious attack, the virtsec market will similarly explode and disrupt the day to day game between leading vendors, their obedient customers and the economics of pain monetization.

As Rothman has suggested, security is often tactical and reactive. Again, that’s more like Prisoner’s Dilemma than rational cooperation. While Schneier can talk about various behavioral theories and tradeoffs between short and long term risks of various kinds and human interests; and deep experts like Rothman and RSnake can lament how better things would be if software was more secure, I think the business case is simply so weak that it simply won’t happen.

Unfortunately imperfection and competition can be much more profitable than the secure software dream. And in cases where centralized bodies have formed to inject a “common interest” even their efforts have been ultimately compromised by concentrated interests. They often produce even less cooperation and innovation than the dastardly status quo of underminers we love to lament.

That is why I tend to be an extremist when it comes to the need for ongoing investments in security start-ups and innovation. They have a focused interest in solving a particular problem. They aren’t any more perfect or noble; they just fight the status quo of underminers and the economics of pain monetization. Their survival depends on innovation; whereas the status quo depends upon the continuation of need and lament. 

Isn’t that also the essence of struggles throughout the world, between innovation, modernity, democracy, women’s suffrage, etc and highly concentrated traditional interests that wish to extend their reign as long as possible? Is the sorry state of software security about tradeoffs between hypothetical outcomes ala Schneier and/or hypothetical unmet dreams ala Rothman and RSnake or simply the outcome of infinite business case decisions?

If you’re questioning security upgrades, waiting for a new unbreakable software release you may want to rethink your decision.

Disclosure: none