1. 20

  2. 9

    This is heavy on promoting their use of formal methods. I think it’s a mix that mostly doesn’t involve formal methods. One component is probably customized stuff that attackers have no 0-days for since they simply don’t have the code. Another might be the fact that they do get breached but it’s not reported. That’s been very common in large companies for a long time.

    1. 21

      An additional factor which the article touches on but only dismissively is that the the big three have a budget that allows them to “Get sleep, Eat right, and Exercise”. Google, AWS, and MS spend a lot of money on security and they regularly require issues to be addressed when they are found. Part of the reason they can afford to so is that they have enough budget and market share that they can afford to delay a release, or put engineers on fixing a security bug. But part of it is just that they take it seriously. The magic bullet here is commitment and follow through.

      1. 6

        I guess we’ll see how well formal methods hold up once one of the big three starts losing their way into a Yahoo! position, and the ninjas have to be replaced with mall cops.

        1. 3

          I suspect the first thing they’ll do (at least in the AMZ case) is stop making changes to established products (I mean, they already barely ever make changes to established products). In that case, the security system is already built and doesn’t really need an awful lot of additional defence.

          Most security flaws are introduced when you add new features to an existing thing.

          1. 2

            Intereting idea. One difference is they mostly have other lines of business that subsidize the cloud ambitions; ad/search, os and office suite, etc… where as yahoo didn’t.

          2. 4

            The magic bullet here is commitment and follow through.

            As a metapoint, this is pretty much the magic bullet for nearly everything I’ve seen in a serious sense: skill at music, painting, staying fit, academics, you name it, that’s how to make meaningful improvements.

            The other metapoint is that you are mostly likely to succeed at what you prioritize: given the n hours in a day, the hours spent are what you prioritize (contra what you put on your sprint board, posters, whatever). Thus if you want security, you need to have k > 0 hours/day devoted to security in a good faith effort.

            1. 3

              That sounds about right.

            2. 1

              All US states require some notification for security breaches that affect their residents.

            3. 10

              How sad that basic expectations are unreasonable.

              1. 4

                We should do better but a quick search tells me that there are about 4,200 bank robberies a year in the US. That’s a problem with a much longer history.

                1. 4

                  That’s actually an interesting analogy to explore. I’ll note that banks rarely keep all of their money in the same vault. It’s pretty hard to walk into a Wells Fargo and walk out with all of their money, no matter how large a gun (or wheelbarrow) you bring.

                  1. 4

                    That’s why I think protection heterogeneity and decentralization are good strategies at times.

              2. 2

                Is there a tool that packages formal methods goodness for configurations in a multi-environment, ops-friendly way? I’d love to have something that could check constraints on things like firewall rules or object permissions to reveal accidental loopholes or missing settings. Kind of like Terraform, but for verification.

                1. 3

                  Bagpipe is a tool for validating BGP configurations.
                  The same research group also wrote a formal semantics for BGP.

                2. 1

                  I get the analogy of best practices in security to “get sleep, eat right, and exercise”, but calling formal methods a hack or a trick completely breaks the analogy for me. It’s like calling running marathons a hack to be healthy.

                  1. 0

                    All marketing,no content

                    1. 3

                      If nothing else (I digress), it provides a substantial list of tools relevant to the solving the problem at hand, and where (and briefly how) they’re used. That alone is an invaluable start for further research into the topic, and a goldmine for a heads-up as to how secure systems can be architected.

                      1. 2

                        Like hell. They mention all kinds of tools for readers to look into, how they use some of them, and a bunch of articles and presentations. Can’t see how you equate that to zero content.