This document discusses security issues that arise from the financial incentives of software development. It notes that customers typically do not prioritize or pay for security upfront. As a result, software companies focus on quick development and moving to new projects rather than long-term maintenance. This leaves software vulnerable to bugs and exploits. The document cites several historical examples of major security incidents to argue that both customers and developers need to place greater emphasis on security as an ongoing process rather than an afterthought. It suggests Mauritius could compete in niche markets where quality and security are priorities. Overall, the document analyzes why security vulnerabilities often exist and persist due to economic factors in the software industry.
This document discusses security issues that arise from the financial incentives of software development. It notes that customers typically do not prioritize or pay for security upfront. As a result, software companies focus on quick development and moving to new projects rather than long-term maintenance. This leaves software vulnerable to bugs and exploits. The document cites several historical examples of major security incidents to argue that both customers and developers need to place greater emphasis on security as an ongoing process rather than an afterthought. It suggests Mauritius could compete in niche markets where quality and security are priorities. Overall, the document analyzes why security vulnerabilities often exist and persist due to economic factors in the software industry.
This document discusses security issues that arise from the financial incentives of software development. It notes that customers typically do not prioritize or pay for security upfront. As a result, software companies focus on quick development and moving to new projects rather than long-term maintenance. This leaves software vulnerable to bugs and exploits. The document cites several historical examples of major security incidents to argue that both customers and developers need to place greater emphasis on security as an ongoing process rather than an afterthought. It suggests Mauritius could compete in niche markets where quality and security are priorities. Overall, the document analyzes why security vulnerabilities often exist and persist due to economic factors in the software industry.
individuals care ? Closer to web developers: Security problems from a financial perspective Bugs within software. A small subset of bugs cause security problems. Customer A pays Company A in Mauritius to develop a website: list of requirements. Does the list of requirements include being secure ? Observation: 99.9% of Customers don't want to pay for security at the start of ANY project. Consequences One time contract (ship and forget) For software companies, no financial incentives to maintain websites/apps. Security is a process, not an add-on. Foundation, with feature A, B,C Customer A has a time period, and feature A will be show- cased, Feature B will be acceptable,and Feature C will be barely working, and dangerously hanging on A & B. Software Company needs developers working on Customer A to move to customer B. (Wrap it off and ship it) Go back in time Moriss worm (1988) The U.S. Government Accountability Office puts the cost of the damage at $100,00010,000,000 It is usually reported that around 6,000 major UNIX machines. Internet was around 60,000 machines at the time. The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University And in 2014 According to the hacker's estimate, there were 1.3 billion IP addresses used online in 2012. Behind each IPv4 address, many people have a smartphones. (multiply by 3) 3 billion machines make up the internet. Heartbleed happened, Shellshock still happened, and vulnerabilities in wordpress & drupal still pop up. Have the customers & software companies learned their lesson ? CII Millions of dollars of shared vigilance. Many big companies pour money. Prevent the next heartbleed. [Side-note: Hackers.mu did submit security patches to OpenSSL & discuss architectural changes to BASH on public mailing list] In 2016 But now that the Heartbleed publicity has worn off, donations have slowed to a crawl, says OpenSSL Foundation co-founder Steve Marquess No more funding for NTF NTPD from CII will reluctantly be forced to reduce our support for OpenBSD and related projects, says OpenBSD Foundation director Kenneth Westerback Observation Linux & Open Source is a victim of its own success. Companies pay developers to develop features. Few companies want to pay for security, because of the way the IT industry works. We can do better in Mauritius: target niche markets where security is required. Don't compete for low end: compete for contracts where quality matters. Mauritius & Linux/Open Source Security
How do we measure your expertise ?
Metrics
How many security vulnerabilities did person A find ? (I found 6 in a
previous company where I worked that were confirmed by the developer team) How many CVEs have company A or person A found ? (2 Mauritians)
How many Mauritians are writing patches to fix security problems in
Linux/Open Source ? (Hackers.mu, and ?)
We still got a long way to go, if we use the above metrics.
Operation C.R Security audit of Linux & Open Source software by Hackers.mu Based on initial findings of Mr Chamberlain in FreeBSD. Read the wikileaks papers for Vault 7. Apply a similar patch in other Open Source projects such as libarchive, uclibc-ng, prism GDK, webkit, opnsense, ipfilter, pfsense, etc Acknowledgement Further acknowledgment
Tim Kientzle (US): Software engineer at Apple. (ex software engineer at Google)
Wbx(DE): uclibc-ng maintainer (used in tons of embedded products)
Franco Fitcher (DE): Firewall company in Germany & Opnsense core team (nice guy) Loos (BR): freebsd developer working at PFSENSE. Last slide