[SecurityRatty] tag: gary

Software Security Market

Mon, 25 Aug 2008 09:18:59 +0000

Information Security budgets are pretty crufty, they are an accumulation of decisions but the analysis that led to these decisions is rarely revisited, it just snowballs. So the normal Information Security budget is just a legacy artifact of when the network was the greatest vulnerability. Gary McGraw took a pass at reviewing the numbers in software security, breaking down software security sectors like tools and services (note to Gary - I think Aspect does more than just training!). This is great work by Gary to get these numbers to see the real changes occuring in software security. Here were his findings on software security tools:

One of the most important developments in the software security market can be seen in the tools space which, combined, almost doubled to $150-180 million. Top of list are two major acquisitions that closed in 2007: Watchfire's purchase by IBM (somewhere in the range of $120-150 million on 2006 revenue of $26 million) and SPI Dynamics's purchase by HP (for around $100 million on 2006 revenue of $21.2 million).

...

The black box space was flat in 2007, with IBM/Watchfire checking in at $24.1 million and HP/SPI Dynamics earning $22.3 million. Smaller companies in the space, including Cenzic, Codenomicon, WhiteHat and the like had combined revenues around $12.5 million (a growth of 25%, though Cenzic grew 16% and WhiteHat 52%). Most of the growth "hiccup" in the black box market can be attributed to the serious challenges posed by any acquisition. So far 2008 looks to be back on track from a growth perspective in the black box testing space. The global reach that IBM and HP offer are already making a big difference.

On a more positive note, static analysis tools for code review grew at a healthy clip in 2007 into a $91.9 million dollar market. Fortify was up 83% to $29.2 million. Klocwork grew over 60% to $26 million. Coverity grew over 50% to $27.2 million. Ounce Labs tripled their revenue to $9.5 million.

These are very nice growth numbers, what company doesn't want 83% growth? However, the total picture is not so good. Gary's estimate shows the software security space coming in at $150 Million total, yet we see a company like Checkpoint that won the network security war in 1995 with earnings of around $900 Million! One single network security vendor is 6 times bigger than the entire software security space?!? Complete UTTER Madness!

This is the stupefying, stultifying effects of budget cruft, where the decisions made in The People's Republic of Information Security have no bearing on reality of threats or even a business case.

Let's look at networks. Obviously Cisco is the biggest, they earned $39.5 Billion last year. Pretty stellar. So spending $900 Million (Checkpoint) to defined $39.5 Billion seems like a pretty good deal.

Except, let's compare software security spending - last year Microsoft earned $60 Billion, SAP $16 billion, and Oracle $22 Billion. So that is about $98 Billion and you are going to "defend" that with allocating $150 Million worth of software security tools?

	Network	Software
Asset Value	$39.5 billion	$98 billion
Security Investment	$900 Million	$150 Million
Security Investment as a percentage of asset value	2.28%	0.15%

This table greatly disturbs me. From a prioritization standpoint The People's Republic of Information Security is misaligned by orders of magnitude. Next time you read about a data breach, or see an auditor's report with thousands of findings you won't have to wonder how it happened. It happened because Information Security doesn't have its eye on the ball.

Consider that software security tools could grow 50% a year for five years and still be half of where Checkpoint is today!

I see the outcomes of backwards looking, crufty decisions by Information Security every day - one or two software security sherpas heading out to work with thousands of developers, meanwhile the network security people sit around and read the newspaper and go home every day at 5.

The optimistic way of looking at all this data is that there is major room for growth for software security, if you take Checkpoint as a target, then the software security space should evolve to around 2% of the software space meaning that it should evolve into a $2 billion space around fifteen times larger than it is today. Unprotected assets will either be protected or will cease to be assets, VCs get your check books ready.

Show 029 - An Interview with Dennis Fisher

Mon, 18 Aug 2008 11:05:01 +0000

On the 29th episode of The Silver Bullet Security Podcast, Gary talks with Dennis Fisher, executive editor of The Security Media Group at TechTarget. Dennis helps run SearchSecurity.com and Information Security Magazine. Gary and Dennis discuss the current “BS factor” in security journalism, shopping at TJ Maxx right after the TJX privacy breach, the state of software security, and which is harder: being a fry cook at Hardees or working as a PR flack.

Former prosecutor: U.K. hacker's extradition is inevitable

Wed, 13 Aug 2008 09:00:00 +0000

A European court has held up an order to extradite Gary McKinnon to the U.S. to face charges of hacking into military computers in New Jersey and Virginia.

European court delays British hacker's extradition to U.S.

Tue, 12 Aug 2008 09:00:00 +0000

Gary McKinnon, the London resident accused of hacking into U.S. military computers in 2001 and 2002, won't be extradited to face charges until Aug. 28 at the earliest.

Biggest Military Hack of All Time Was Done With a 56k Modem

Sat, 02 Aug 2008 21:50:06 +0000

Gary McKinnon, a British computer expert, claims he's just fascinated with UFOs. Using his home computer and a modem — how WarGames! — he infiltrated military networks and accessed thousands of computers trying to find evidence of alien contact

Silver Bullet Talks with Adam Shostack

Thu, 31 Jul 2008 09:30:21 +0000

Gary McGraw interviews Adam Shostack. Shostack is a member of Microsoft's Secure Development Lifecycle Team. He's worked for Zero Knowledge as Most Evil Genius and Reflective where, as CTO, he focused on static analysis for software security. Shostack recently coauthored The New School of Information Security with Andrew Stewart.

British UFO Hacker Gary McKinnon Is Coming to America

Wed, 30 Jul 2008 15:33:00 +0000

The House of Lords shoots down the final appeal of a British hacker who penetrated U.S. military computers looking for a UFO coverup, despite his complaints that he might be sent to Guantanamo.

Show 028 - An Interview with Bill Cheswick

Tue, 15 Jul 2008 15:30:25 +0000

On the 28th episode of The Silver Bullet Security Podcast, Gary interviews Bill Cheswick, a lead member of technical staff at AT&T Research and all around security guru. Bill has been working in computer security for over 35 years. He coined the term “proxy” in 1990 with reference to firewalls, and co-authored the book Firewalls and Internet Security which was used to train an entire generation of sys admins. Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into “the cloud,” and whether re-naming “Christmas lights” to “solstice lights” would bypass NJ holiday decoration ordinances.

Bill Cheswick
AT&T Research
Lumeta
FWIS
“The Design of a Secure Internet Gateway” (Usenix 1990, coining of “proxy”)
The Apache web server
Turtles all the Way Down
Ed Amoroso’s Silver Bullet Podcast (use blink test to compare)
Solstice Lights

Houghton Mifflin Harcourt server breach leads to notification

Tue, 08 Jul 2008 08:22:09 +0000

Technorati Tag: Security Breach

Date Reported:
7/1/08

Organization:
Houghton Mifflin Harcourt ("HMH")

Contractor/Consultant/Branch:
None

Victims:
"individuals affiliated with Harcourt Trade"

Number Affected:
194

Types of Data:
Social Security numbers

Breach Description:
"Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites."

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

Houghton Mifflin Harcourt (HMH), a publishing company based in Boston, will begin notifying individuals whose information may have been compromised by a worldwide Internet-based attack that affected one of its websites.
[Evan] A "worldwide Internet-based attack" sounds impressive. In order for an attack to be successful, a vulnerability must be exploited. I wonder what the vulnerability was.

On April 25, 2008, HMH's Information Security group learned of a worldwide Internet-based attack that affected one of its non-e-commerce websites.

Within minutes, HMH took steps to secure the affected databases.

HMH has reported this matter to the U.S. Secret Service and state law enforcement, who are actively investigating the incident.
[Evan] I question how "actively" the U.S. Secret Service is investigating this incident. The incident doesn't seem to be significant enough. Sad but usually true. The Secret Service has to prioritize just like everyone else.

As part of its internal investigation, which is still ongoing, HMH retained digital forensics experts to collect and analyze data from the relevant computer systems.
[Evan] The attack was detected on April 25th (not necessarily originated on this date), and the notification went out to the New Hampshire State Attorney General on June 1st. This is a long forensic investigation! I also noticed that this statement mentions "computer systems". Does this mean that more than one server was compromised?

They have determined that social security numbers of approximately 194 individuals affiliated with Harcourt Trade, 2 of whom are New Hampshire residents, were in a company database on the affected computer server, and may have been compromised as a result.
[Evan] I don't like the "may have been" portion of this statement. My definition of compromise probably differs though.

HMH has no evidence to date to suggest that the data has been misused.

Although we do not know whether any of your information has been misused, we are committed to doing what we can to make sure support is available to you

Since learning of the incident, HHM [sic] has:

Reported this matter to the U.S. Secret Service and state law enforcement;
Cooperated with law enforcement, which is actively investigating the incident;
Conducted a thorough investigation of the incident, including an assessment of whether or not the theft created any prospective data security risk;
Identified the sensitive personal information about individuals stored on the affected server; and
Made arrangements to notify affected individuals about the incident in accordance with state laws, offer premium credit monitoring, ID theft insurance, and ID theft resolution services, and provide additional information about prevention and detection of ID theft including information about credit alerts and credit freezes.

HMH is continuing to work with information security professionals to review current policies and procedures to identify steps that can be taken to better protect against incidents of this kind.

We apologize and deeply regret that this happened.

I have asked our editors to reach out directly to everyone affected by this matter and I hope they will be or already have been able to answer your questions.
[Evan] This is a nice touch. The letter to the affected persons was signed by Gary Gentel, President or Houghton Mifflin Harcourt Publishing Company, Trade and Reference Division.

Commentary:
There aren't many publicly available details available other than those outlined in the breach notification, so we are left to speculate. Why was a server that contained a database of Social Security numbers available to this "worldwide Internet-based attack"?

Past Breaches:
Unknown

Show 027 - An Interview with Gunnar Peterson

Wed, 18 Jun 2008 09:30:44 +0000

On the 27th episode of The Silver Bullet Security Podcast, Gary interviews software security expert Gunnar Peterson, a Managing Principal at Arctec Group. Gary and Gunnar begin with the age-old question, “What is security?” They go on to discuss how Web 2.0 and SOA security is progressing, the big idea behind “federated identity,” whether all market verticals can follow the software security lead of the financial services industry, and the inherent badness of the color purple.