Abundance; IT Security's SNAFU

I have gotten permission from RedSocks to re-publish articles I wrote for RedSocks.
They will be republished after they have appeared in their intended place so please mind that they may seem out of context and/or dated at times.

For more information please contact [email protected] or visit https://redsocks.eu/

First published: LinkedIn on May 20, 2015

Although the title may sound a little presumptious, the fact is that at the moment of writing the ‘situation normal’ in IT Security is “ A.F.U.”.

How come?

Although you might want to blame programmers, systems administrators or IT managers, the root cause, however, is ‘abundance’.

So, how can abundance become the root cause of SNAFU?

Well, there is a small (as compared to the total) number of developers in the world that is security conscious, can write secure code and can review code in order to fix it. Each of these developers can handle a limited number of projects at any given time.

On the other hand, there is an almost limitless supply of developers that are not well versed in the subtleties and intricacies of secure development.

They can be mobile app developers using app creation tools (which in turn have been developed by developers that do not understand what their generated code is doing or could be doing), they can be freshmen wanting to get their names into a prestigious open source project, they can be impatient developers that want ‘it’ to just work, they can be developers that actually do not care so much because ‘it is just to pay the bills’.

So, assume that alll of these developers together produce roughly 2 billion lines of code every day (based on assumptions of 15 million developers producing around 133 lines of code a day; I completely ignored all automatic code generation tools). If we take an average from the published exploitable vulnerabilities per 1000 lines of code (LoC) of 0.05 we get to a staggering 100000 vulnerabilities per day.

Now, these numbers are just ‘on the back of a napkin’ calculations and there are lots of mitigating factors (a lot of code written is actually a fix for a bug, lots of code paths never become accessible to an exploit and of course lots of projects never get finished).

But even if we downgrade that number by a factor of 1000, we get 100 vulnerabilities a day (yes, you can see why the real number is probably a lot higher).

Almost 40000 new exploitable vulnerabilities per year.

But that is just on the production side.

If everyone on the planet were to immediately update whenever a fix becomes available, an international effort could have been made to found a world wide code reviewing body that reviews and fixes vulnerabilities.

Alas, as you may know (either because you are a culprit yourself, or you are the one telling everyone around you to ‘update!’) the rate of applying updates and fixes is quite low, so it would be a wasted effort (although corporations might want to get together and sponsor such an organization focused on enterprise software).

Besides the ‘I can’t be bothered factor’ there is also the ridiculously fast life-cycle of IT products (mobile phones, tablets, laptops, desktops) coupled to relatively low prices which prompts owners to rather ‘get a new one’ than understand and maintain their current device and it’s environment. This behavior is ‘encouraged’ because all personal data can be stored in the cloud and so we can move from one to the next in a matter of minutes.

To compound matters, the old devices are handed down without any fixing to teenagers and children who not only are unable to fix these devices, but are also more gullible and therefore more prone to psychological attack vectors (i.e. “If you want to install this colorful awesome game from pirate site X, disable your protection because it falsely says this software is evil.”)

And just to nail our coffin shut, we are on the verge of producing a whole new range of autonomous security risks by creating ‘the internet of things’, where most of these things are horrible when it comes to security updates, will be abandoned very fast (time-to-market, short product life-cycle) or there are just too many in a person’s life to be able to find the time to update them.

The numbers used here are all rough estimates and probably will seem risibly low in a few years time, but the gist remains the same; abundance is the main cause of the current IT Security SNAFU.

Oh, and just because you did update nicely, it does not mean you are safe.

You are reading this with a device that has at least 25 critical vulnerabilities still unpatched…