Part 2: The Defender's dilemma
(Mom's Warning, continued)
When you take up the study of security you will probably run into a paradox called the defender's dilemma fairly early on.
That paradox explains that in the game of security (it really is best to think of it as a game between adversaries, the attacker and the defender) the attacker has a single, but extraordinary, advantage: The attacker chooses when and where. For our purposes, it is safe to assume that the attacker can only mount an affective attack at a point of weakness (a vulnerability). Therefore the defender cannot make an assumption about which vulnerability he must defend.
Of course in a real situation there are risks to be weighed and not all vulnerabilities can be leveraged for the same effect. However, if a vulnerability cannot be leveraged to some harm, then technically it is not a vulnerability. So assuming the set of vulnerabilities we are defending are limited to those with significant consequences, then, as the adage goes, the defender has to be right every single time, while the attacker only has to be right once.
This simple concept has launched entire volumes on military strategy that has led to the effective strategy employed by the United States, which is loosely to play offense whenever possible. Sadly, in regards to our software products and IT systems we are definitely relegated to defense. How the defender's dilemma makes software security different from software quality is in the absolute requirement it poses.
Two examples help make the point. I flew across the country while writing this on a large domestic carrier. Most aspects of my flight were perfect from a quality perspective, check-in, boarding, the plane, in flight service were all among the best you would experience - in most regards the quality of this flight was superb. Now at the same time, my coffee tasted a bit burnt and I had to wait in a fairly long queue to use the lavatory. Those are clearly lapses in quality, but in no way could I say that an otherwise perfect flight was "low quality" - quality is more or less the summation of the quality of all the components of an experience. Of course some aspects influence any measure more than others - the quality of my pilot's flying skills and the GE engines are always at the top of my list. But we can clearly have some lack of quality and call something extremely high quality overall.
You can see how fun this will be in a second when we start considering software - is MS Word a high quality product? I think so. In fact it is what I use to write most documents. However if MS Word were an airplane there is probably no way in the world you would hop on one and we would surely duck for cover anytime one was flying over.
By contrast, lets look at security. If we walked up to that house we imagined earlier and checked the bolt on the front door to find it was secured, then went to each and every window to find it was locked and reinforced, only to find that there was a ventilation screen on the side of the house that allowed access into the basement and then through an unlocked pantry into the house - would that house be secure even though the front and rear doors, and all 19 windows were? Of course not, security is absolute because all we need to do is leave one opportunity for the attacker.
But what if the attacker did not see the vent or did not know the basement had access to the house? Well then we would be lucky, not secure. They say in business that luck is not a strategy. Actually it is, it is just not a good strategy. Likewise, luck is not a good countermeasure in security.
Of course these examples get vastly more complicated when you take into consideration the capabilities of the attacker and the risk associated with compromise, but as with most things, those complexities don't make the basic facts change - security is absolute. NO PERFECT SECURITY HERE.
Now you may have also read that there is "no such thing as perfect security". This is also true. Security, which is either achieved or not, is only going to be adequate against some level of threat and some net risk. Increasing the threat or decreasing the risk will make any security measure inadequate or unnecessary. We never seek to make our security countermeasures fool proof against any perceived threat, just the ones that we reasonably expect to encounter and that can introduce risk we deem unacceptable. This can all be taken into consideration when you define what a "vulnerability" is. As long as you are only considering the ones that have reasonable probability of exploit and a risk exposure that cannot be accepted then you must defend all of them or you fail to be "secure".
To be continued...
