Category Archives: software

Finding (Risky) Signals in the Open Software Noise

Recently the Linux Foundation teamed up with DHS to create the Census Project analyze those open source software projects that should be considered risky and to define what risk might be. Risky might be: small community, slow update, no website, IRC, no listed people, etc. People need more Code Intelligence (CodeINT) on the source code they use and ways of classifying things.

Check it out:  The Census represents CII’s current view of the open source ecosystem and which projects are at risk. The Heartbleed vulnerability in OpenSSL highlighted that while some open source software (OSS) is widely used and depended on, vulnerabilities can have serious ramifications, and yet some projects have not received the level of security analysis appropriate to their importance. Some OSS projects have many participants, perform in-depth security analyses, and produce software that is widely considered to have high quality and strong security. However, other OSS projects have small teams that have limited time to do the tasks necessary for strong security. The trick is to identify quickly which critical projects fall into the second bucket.

The Census Project focuses on automatically gathering metrics, especially those that suggest less active projects (such as a low contributor count). We also provided a human estimate of the program’s exposure to attack, and developed a scoring system to heuristically combine these metrics. These heuristics identified especially plausible candidates for further consideration. For the initial set of projects to examine, we took the set of packages installed by Debian base and added a set of packages that were identified as potentially concerning. A natural outcome of the census will be a list of projects to consider funding. The decision to fund a project in need is not automated by any means.

 

Source Code is Maneuver Warfare

(posted on medium.com, March 12, 2015)

The US Military is a software based fighting force. If software doesn’t work, or is out-of-date or is hacked; planes don’t fly or get refueled, paychecks don’t get cut, weapons don’t get delivered, travel orders get delayed, networks don’t work, maps don’t get shipped and email goes down — leading to less than desirable battlefield outcomes.

Software source code is central to how the U.S. Military fights wars and projects power. Software and source code is not treated as a thing of value in the military: further the management, governance, maintenance and operational reuse of software is an after thought.

The context has changed, radically. Not only has the nature and tactics of our adversaries changed (cyber hacks, suicide attacks, IEDs, loosely coupled non-state actors, etc.), but the technological state of play in the private sector (where our adversaries source their technologies) has completely transformed in ways that leave military program managers at a loss. The global technology bazaar is driven by highly competitive, accelerated innovation, cheap off-the-shelf hardware and instantaneous communication. While the U.S. government wades through protracted acquisition cycles with large defense contractors, our enemies are shoplifting at Radio Shack.

In this context, where missions depend on perishable tactical intelligence and the disruption of networks (human and technological), speed and adaptability becomes far more important than in the past, not as a good in and of itself, but as a necessary condition for success. Access to real-time data (and software code), regardless of the application or device used to generate that data, becomes a requirement. Information flow across services and agencies makes (for instance) non-interoperable systems and proprietary formats a show-stopper. “If only that remote, under-resourced unit had a copy of our company’s software, they’d be able to display the location of the target” is NOT an acceptable concept of operations.

Without a sense of the strategic context, discussions about technology acquisitions and development tend to devolve, either into religious wars between rival schools of engineering methodology or turf battles about which processes, rules and regulations should or could be followed. Most of these conflicts about how and what to build are enmeshed in an industrial age acquisition system matured during the Cold War and NASAs race to the moon.

This system was set up to build tanks, aircraft carriers and missiles — massive amounts of hardware that take a long time to develop and manufacture — to counter a slow, bureaucratically hidebound adversary that’s trying to do the same thing in the same way. But it made sense: developing military hardware is all about optimizing a design to be cheap to manufacture at a high rate, just like GM, Ford and Toyota do, but software is a different beast. In software: software is never complete, it is always being updated, costs are spread more evenly out in it lifecycle versus hardware systems.

I’m most worried about software since that evolves more rapidly than hardware. The government still uses a hardware-based model to buy software-based systems. Which is the wrong method for software because in hardware systems the design and costs are front-loaded and the design is optimized for large builds, where as software costs are exposed over its entire lifecycle.

The rapid adaptation and evolution of enemy tactics means that when a new capability becomes available to the military, it must be possible to plug in that capability without a massive and expensive and slow integration effort. Being able to shrink and accelerate innovation cycles and leverage technical expertise across the enterprise becomes a strategic advantage on this kind of battlefield. These big contextual shifts, rather than philosophical leanings or new technologies per se, tilt the game in favor of open systems.[1]

In the software domain, the ability to rapidly modify existing systems in response to unanticipated threats and opportunities depends on access to that systems development supply chain. Do developers of new capabilities have to use non-proprietary standards, formats and interfaces so that data can be exported and used by other applications? Are technical architectures required to be modular enough to improve or replace components without the exit costs of vendor lock-in? Can code developed on the government dime be leveraged across programs?

These are not technology issues, per se. These are business issues, and they drive competitive military advantage. The key part to making any of this possible is access: access to the intellectual property (IP) investments made by the military on behalf of the American taxpayer.

Large companies have know software is a competitive advantage and have taken steps to actively manage its creation, use and dissemination. Companies like General Electric, Amazon, Microsoft, Facebook and Google have released software as open source to ensure they commoditize technologies and markets faster to ensure they always have vendor options and are never locked in or out of opportunities.

This is why intellectually property governance becomes so important, by allowing one military contractor to in effect own the monopoly on that taxpayer funded piece of software, the military is making a big bet that, that one contractor is the best to manage that software line. This limits competition, slows tech progress and drives costs up both total and increases the cost of technical debt. (Technical debt is how much time and effort it takes to change a systems design).

The government (and taxpayer) funds a massive amount of software IP development, which doesn’t effectively get reused. The military needs executive strategic direction describing why intellectual property is important to the Nations defense and more importantly defining how it should be managed to maximize its return on investment for the military. There are a number of tactical methods (e.g., various field manuals and acronyms: Intellectual Property: Navigating Through Commercial Waters, MOSA, FAR, DFAR, etc.), but there is nothing that lays of the strategic imperative for why software IP is a strategic asset to be actively managed.

Organizing Principles

We must rebuild the government and military acquisitions process around how modern software is built. This kills two typical development problems: hardware platforms and software since hardware is the same process, just slower.

Initial design principles:

1. Code is maneuver. Software needs to be treated as something that has as much value as the Soldier, Sailor, Marine and Airman. Their lives depend on how software is build developed, deployed and ultimately updated.

2. Continuous & Speed. Software is never done, it always needs evolving, its use is accelerating and its update cycle is accelerating at the same time. Automation must be pushed as an imperative to ensure maximum speed advantage of technology deployment and supply chain replenishment.

This is important because all successful companies have very clear lines, limits and directions around how company-to-contractor funded IP should be treated.

Too often in the military, taxpayer funded IP around software is treated as something not of value (if it was it would be better controlled).

Note: Jim Stogdill coined the phrase “Code is Maneuver”http://limnthis.typepad.com/limn_this/2007/09/in-cyberwar-cod.html

[1] Ref: The DoD SoftwareTech News June 2007, Vol. 10 # 2, COTR Warriors: Open Technologies and the Business of War

Ounce of Prevention Costs too Much

Evidently an ounce of prevention costs too much for a majority of enterprises if you believe this study: Organizations taking months to remediate vulnerabilities

“On average, nearly half a year passes by the time organizations in the financial services industry and the education sector remediate security vulnerabilities, according to new research from NopSec.

For the study, the security firm analyzed all the vulnerabilities in the National Vulnerability Database and then looked at a subset of more than 21,000 vulnerabilities identified in all industries across NopSec’s client network, Michelangelo Sidagni, NopSec Chief Technology Officer and Head of NopSec Labs, told SCMagazine.com in a Tuesday email correspondence.

According to the findings, organizations in the financial services industry and the education sector remediate security vulnerabilities in 176 days, on average. Meanwhile, the healthcare industry takes roughly 97 days to address bugs, and cloud providers fix flaws in about 50 days.”

Study: Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities

Really interesting post from BanyanOps that screams for supply chain management solutions:

Docker Hub is a central repository for Docker developers to pull and push container images. We performed a detailed study on Docker Hub images to understand how vulnerable they are to security threats. Surprisingly, we found that more than 30% of official repositories contain images that are highly susceptible to a variety of security attacks (e.g., Shellshock, Heartbleed, Poodle, etc.). For general images – images pushed by docker users, but not explicitly verified by any authority – this number jumps up to ~40% with a sampling error bound of 3%.”

For Want of a Patch (& a Supply Chain)

(originally published at CTOVision.com, December 8, 2014 )

For Want of a Patch

For want of a patch the component was lost.

For want of a component the stack was lost.

For want of a stack the system was lost.

For want of a system the message was lost.

For want of a message the cyberbattle was lost.

For want of a battle the enterprise was lost.

And all for the want of a software patch.

As the old proverb reminds us, logistics is important: most battles are over before they’ve begun due to having or not having a solid logistics tail. During WW2 the Allies found out the hard way with the invasions of Africa: ships loaded incorrectly led to delays in material onto the beaches and towns, things like ammunition, fuel and medical supplies are needed before typewriters and tents. As subsequent amphibious invasions progressed (North Africa, Sicily, Italy) the military learned how to coordinate better the planning and ultimate loading and unloading of material and manpower to have the largest effect in the fight. These processes ultimately culminated with the successful massive invasion of Normandy to end the 3rd Riech’s hold on Europe. 

The key lesson was to view logistics in war as a continuous process that feeds a fast and continuously maneuvering Army. 

Cyberwar is no different and more closely follows the proverb: one unpatched line of code can leave an entire enterprise open to assault. Why? Accelerated use of software, more software dependencies on other pieces of software AND all that software is constantly in need of being updated. Current organizational processes to keep software updated can’t keep up with the change being generated by the outside world. 

Example: Amazon software deployments for May 2014 for production hosts and environments: 11.6 seconds is the mean time for deployments and 1,079 max deployment in one hour: how many military systems can claim that many deployed changes in a month? (Ref: Gene Kim, slide 23 http://www.slideshare.net/realgenekim/why-everyone-needs-devops-now) I doubt any, but this is what the military (and modern enterprises like Sony) must prepare for: never ending change and updating on near random cycles.

More to the point: continual and unscheduled software patches are the landscape in this new maneuver environment. And since they can’t be planned for, organizations need to learn to evolve for change and deploy software and new capabilities continually. 

Software supply chain planning is no longer something that can be starved of funds. Malware, continuous monitoring, and network scanners can tell you which barn doors are open and that the horses are leaving, but leave enterprises with a massive punch list of fix it items. Funding, time and effort need to spent on the supply chain. It is the first true line of cyber-defense. 

Parting shot, question for CIOs/CTOs: Can you patch all of your systems in the next hour, using existing processes and not bypassing things? For most organizations the answer is no, OpenSSL patches (seriously!) get emailed around from dubious sources is akin to Mom mailing ammo to her son in a care box in Afghanistan.

For want of a message the cyberbattle was lost.

For want of a battle the enterprise was lost.

And all for the want of a software patch.