Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
CISOs' Cyber War: How Did We Get Here?
Newest First  |  Oldest First  |  Threaded View
Dimitri Chichlo
50%
50%
Dimitri Chichlo,
User Rank: Apprentice
1/14/2018 | 4:23:33 AM
Re: Software == Bugs
Thnak you for your article, Jack. Indeed, software==bugs but, yes, we know means of programming that avoids most of code mistakes. Plus by stretching the time to market, you are putting your business at risk (ex.: Diginotar).

What puzzles me in this industry, is that we take for granted something which is completely unacceptable in other industries. Take automotive for instance. Do you imagine that every month the car dealer calls you to fix something in your newly acquired car (ABS, airbag, brakes, etc.)? By the way, this can very much be the case in the future, as cars are no more than driving appliances but so far, we have seen limited cases, but they do exist. 

However, do you have to be a CISO to understand the need for security? I do not completely agree with that. I think that this is rather a question of common sense. One of the challenges we face as infosec professionals is to pass the message higher. Do we really succedd in that? I doubt. It is just that security is still not embedded in IT (yet) and not considered as a (potential) competitive advantage. 

Not sure also about the concept of cyber war. I would leave that term to a state level concern, not at business level, although some businesses are strategic for countries, but this is another story. I would rather use "IT security" (not really sexy though :). 

 

 
jackmillerciso@gmail.com
50%
50%
[email protected],
User Rank: Author
1/9/2018 | 11:39:06 PM
Re: Software == Bugs
Thank you for your comment. I do agree with you, these points you clearly articulate are valid and must be taken into consideration for developing any meaningful and workable policies or regulations.

While some discovered vulnerabilities might have been virtually impossible to find with even the best QA program, unfortunately, there have been many that should have easily been identified and remediated but were not and that problem must be resolved. 

Likewise, with concern to innovation, I don't think it is an either/or conversation.  Even in the most regulated industries there is always innovation, the most important thing is that we have a level playing field. 
Brook S.E.S308
50%
50%
Brook S.E.S308,
User Rank: Apprentice
1/9/2018 | 1:53:30 PM
Software == Bugs
The Turing Proof has not yet fallen. Short summary: an automated process cannot prove that an automated process is correct.

IOW, software can be proven to have errors, but not proven to be absolutely correct. That means that we will be living with software errors for sometime - imagining that viulnerability is entirely a business problem missed a key technical fact of life. 

Plus, not all vulnerabilities are equal. Many are not really of value to real-world adversaries. Risk assessment will continue to be important.

As I have noted both in my books and elsewhere, error is also an artifact of innovation. When attempting something new, it's not going to be "right" for a while; mistakes will be made. 

Finally, designs for yesteryear will likely not survive tomorrow's research.

Meltdown/Spectre is precisely this situation. Speculative execution has provided enormous CPU gains. We now know that those gains came with a security cost, because dedicated researchers probed and prodded to find holes in the design. future designs are thus improved. 

This last point is key: it's very hard to anticipate every possible use case and mis-use case for a design. While analytic tools like Threat Modeling can anticipate known techniques, it's very hard to see far into research and attack future.

While your points are certainly valid, the argument, I believe is incomplete without my additions

cheers

/brook s.e. schoenfield


DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...