The Fights We Have to Fight: Fixing Bugs[no description provided]
One of the recurring lessons from Petroski is how great engineers overcome not only the challenges of physical engineering: calculating loads, determining build orders, but they also overcome the real world challenges to their ideas, including financial and political ones. For example:
Many a wonderful concept, beautifully drawn by an inspired structural artist, has never risen off the paper because its cost could not be justified. Most of the great bridges of the nineteenth century, which served to define bridge building and other technological achievements for the twentieth century, were financed by private enterprise, often led by the expanding railroads. Engineers acting as entrepreneurs frequently put together the prospectuses, and in some cases almost single-handedly promoted their dreams to the realists. [...] Debates over how to pay for them were common. (Engineers of Dreams: Great Bridge Builders and the Spanning of America, Henry Petroski)
Many security professionals have a hobby of griping that products get rushed to market, maybe to be secured later. We have learned to be more effective at building security in, and in doing so, reduce product costs and increase on-time delivery. But some products were built before we knew how to do that, and others are going to get built by companies who choose not to do that. And in that sense, Collin Greene's retrospective, "Fixing Security Bugs" is very much worth your time. It's a retrospective on the Vista security program from a pen-test perspective.
Finding bugs: Exciting.
Fixing those bugs: Not exciting.
The thing is, the finish line for our job in security is getting bugs fixed¹, not just found and filed. Doing this effectively is not a technology problem. It is a communications, organizational² and psychology problem.
I joined Microsoft while the Vista pen test was finishing up, and so my perspective is complimentary. I'd like to add a few additional perspectives to his points.
First, he asks "is prioritization correct?" After Vista, the SDL team created security bug bars, and then later refined them to align with the MSRC update priorities. That alignment with the MSRC priorities was golden. It made it super-clear that if you didn't fix this before ship, you were going to have to do an update later. As a security engineer, you need to align your prioritization to the all up delivery priorities. Having everything be "extremely critical," "very critical," or "moderately critical" means you don't know what matters, and so nothing does.
Second, "why security matters" was still a fight to be fought in Vista. By Windows 7, security had completed its "move left." The spec form contained sections for security and privacy. Threat model review was a gate for start of coding. These process changes happened while developers were "rebelling" against Vista's "overweight" engineering process. They telegraphed that security mattered to management and executives. As a security engineer, you need to get management to spend time talking about how security is balanced with other priorities.
Third, he points out that escalating to a manager can feel bad, but he's right: "Often the manager has the most context on priorities." Management saying "get this fixed" is an expression of prioritization. If you've succeeded in your work on "why security matters," then management will know that they need to reinforce that message. Bringing the issues to them, responsibly, helps them get their job done. If it feels bad to escalate, then it's worth asking if you have full buy in on security.
Now, I'm talking about security as if it matters to management. More and more, that's the case. Something in the news causes leadership to say "we have to do better," and they believe that there are things that they can do. In part that belief is because very large companies have been talking about how to make it work. But when that belief isn't there, it's your job as an engineer to, as Petroski says, single-handedly promote your dreams to the realists. Again, Greene's post is full of good ideas.
Lastly, not everything is a bug. I discussed vulnerabilities versus design recently in "Emergent Design Issues."