Let's take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn't going away. We have a horribly insecure software ecosystem that let's the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then target these DDos armies at whoever they choose and are able to shut down their networks

It is time to stop thinking about computer security as a castle wall and moat problem and to start looking at it as an ecosystem problem. We can't secure our networks or those of our allies by building bigger walls any more than the President of the United States can keep our air clean for government workers by enacting tougher emmision standards for US government vehicles. It is a global problem that requires a global solution.

There has been no global cooperation to date to help the average computer user keep his or her computer secure. Yet we talk about keeping car emmisions down. But the effect of both is similar. In a shared environment, be it the water and air or an information infrastructure. Each individual user contributes to the health of the system.

Each insecure computer is much like a polluting car. By itself there is little risk of harm. But when the software on that computer is compromised and taken together with all the other computers with that software, the risk builds up until it reaches a critical mass. We see that critical mass when groups, nation state sponsored or simply criminal, are able to destroy network connectivity for their targets using these compromised computers

Make no mistake. The root cause of these denial of service attacks is insecure software. It might be an operating sytem vulnerability or a vulnerability in a media player, web browser, or the latest cool social networking widget. These vulnerabilities let the attackers chip away one by one at the internet ecosystem like cancer cells. At some point the malignacy is great enough that it can destroy a high value target.

The only solution is to protect those individual cells from becoming malignant. Each and every computer system, and each and every software package running on them must be made secure. There is no easy fix. This is a hard problem. I have been studying it for 15 years since I was a researcher at a group called the L0pht which testified before the US Senate in 1998 that we knew how to take down the internet in 30 minutes. I wish this was an easy problem to solve, but it is not. It will only get worse as more computers are connected to the internet and we rely on the internet to be a safe place to exchange information and conduct business.

The solution is to make sure every piece of software we run is secure. It is much like the environmental problem were every car or every factory must meet an emissions standard. It can't just be the cars driven by wealthy people or the factories making one type of product. It must be all. Until we start to think of the computer security problem as a global ecosystem problem with the root cause individual computers running everyday software, we are destined to fail.

The solution is to test all software before we run it. It can't be a crapshoot whether something is going to cause harm if it is running on a million computers. We need to know.

Veracode Security Solutions


Security Threat Guides

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (4)

Chris | July 9, 2009 7:12 am

I like the cell analogy, so lets go with that. Molecular biology seems to be the field we computer security people are looking towards for answers to our own problems these days. And that's not necessarily a bad thing but it does bring up the question: 'Is the cat and mouse game ever avoidable?'. (I don't think it is). But we can become a better cat. We need a good way to tell the ecosystem those cells are infected and require a cure, or at least detect the symptoms early. So we should also be looking at other fields such as neuroscience (the CS community has for a long time). Every country have their own dominant social networking website, this is a good place to start to get the word out 'mass infection happening ... do xyz'. You can't post it on ISC and expect 500 million normal people to read it. This also raises the possibility of an attacker using that same system for malicious gain, but certain virii does this in nature IIRC. While auditing all software before release is a great idea (and yes is great for business ;) its not %100 possible, the same way your born with flawed cells that will eventually be owned by some virus specifically designed to exploit its weaknesses. One thing is certain, I am not smart enough to solve this problem. Good post.

cwysopal | July 9, 2009 12:00 pm

One malignant cell is not a problem. It is when they reach a critical mass withing the community of cells making up the animal that is a problem.

The way I look at it many low risk compromised machines (the home PC user) be come a high risk collectively to any single machine on the internet community.

CrabbyOlBastard | July 9, 2009 1:50 pm

If one were able to get secure coding codified and implemented, then I believe that the problem will then be the human nature aspect. Unless forced by software, they will more often then not, weaken their systems by installing rogue software, lessening passwords, or being completely unversed in security practices.

It's a tough nut to crack overall... There may never be a solution to this problem.

Richard Bejtlich | July 11, 2009 4:33 pm

"The root cause of these denial of service attacks is insecure software... Each and every computer system, and each and every software package running on them must be made secure."

You mean like every single physical asset is "made secure?" I'm guessing you live in a concrete house with bars over the windows, send your kids to school in an armored personnel carrier, etc.?

The root cause of these denial of service attacks is a group of bad guys. We need to deal with bad guys in the cyber world like we deal with them in the physical world.

If you say you lock your house I'll mention bump keys, breaking a door or window, etc. The same goes for cars and every other example. Real world security is threat-focused, not vulnerability focused.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.