Bug-free code: Another computer security lie

Behavioral psychiatrists say that virtually all people lie. Most are little white lies to protect the feelings of others. Some lies are acts of commission — a deliberate statement of untruth — whereas others are lies of omission.

In the latter case, someone tells an absolutely true fact, but leaves out a very important related point — which, if known, would result in an entirely different understanding. (I’m the parent of four kids, so I know lies of omission well. )

Here’s a common scenario in computer security that most people don’t know about — and perfectly illustrates the power of lies of omission.

Absolute security perfection!

I was recently involved in a group review of a computer security product. Like many computer security vendors, this one claimed its product was unhackable.

To prove this, the vendor had submitted its product for security review to an “independent,” well-respected security company, and the product had received a clean bill of health. The security review company found no programming errors and no ways to critically compromise the product. The VP of sales veritably gloated with joy as he told the large group of people this “fact.”

I asked the VP if he could share the detailed review report with me. He said yes. As I expected, he sent me a one-page “public” summary letter, which said that the product was reviewed and found to be free of security bugs.

Most people would take this result to mean the product was found to be bug-free and unhackable. But that couldn’t be further from the truth. This guy didn’t know it, but when I had worked for this particular security review security company in the past, I’d learned an ugly secret.

The company lies. But it’s more of an act of omission than commission. 

What security review companies don’t tell you is that each submitted product undergoes two reviews.

The first review finds all the bugs and mistakes. The vendor then fixes all those mistakes and resubmits the updated product for review — whereupon the computer security review company does a cursory review, evaluating and testing the same items … then declares the product bug-free. At the end of the process, the vendor can happily tell all potential customers that its product is “unhackable.”

Going in, vendors know they’ll end up with a clean bill of health they can brag about. It’s why they agree to pay strangers to do a security code review followed by a public letter in the first place.

No bugs? Look again — and again

Here’s what I want you remember: No software product is bug-free, no matter what any report says, for numerous reasons.

First, the intent of most security reviews of this type is to end up with a public letter saying the reviewed product is flawless. If that’s the intent before the contract is signed, how can there be a different outcome? Needless to say, it changes how intently security review companies look for bugs.

Second, no single code reviewer or hacker team ever finds every bug. They find every bug they’ve been trained to find by their tools and experience in the amount of time they’ve been given. Add more teams (for experience, skills, and tools) and in time, you’ll find more bugs. That’s 100 percent guaranteed.

Third, when you’re on a security review team, you normally find hundreds to thousands of bugs — often the same bug repeated over and over. But in your review, once you’ve found enough bugs to fill up hundreds of pages of a report and “earned your money,” where’s incentive to find more bugs? At some point, you feel like you’ve done your job.

Fourth, and most important, the real test of any product occurs when it goes mainstream. Your product can have hundreds of thousands, even a million users, but its past security record doesn’t mean a thing until it’s installed on many millions of computers.

When a product goes mainstream, hundreds or thousands of unwanted code reviewers and product testers start pounding on it. They’ll find the bugs that others did not find — and if the vendor is unlucky, they’ll use that evidence to scare away customers.

Tell me another one

When a vendor tells me its product is unhackable, I immediately think: Are you clueless or lying to me? My respect goes way down. I starting wondering what else they’re lying about.

To impress me, a vendor needs to present its product to a reputable, experienced security review company — once — and let me see the detailed report. The “all clear” second review is merely a lie of omission.

This is not to say that security reviews conducted by trusted, experienced companies are worthless. On the contrary, they discover security bugs and give you a chance to fix them. Your product is more secure than it was before. But that reality is a far cry from saying a product can’t be hacked.

If a vendor really wants to impress me, it should do as many major software vendors do and run “bug bounty” contests where anyone can participate, with scheduled professional reviews from a respected company. That’s the best of both worlds.