Silver bullets or magic beans?

Date January 14, 2008

jackandbeanstalk Everyone knows the story of Jack and the Beanstalk (but let me summarize for those that don’t), where Jack trades the family cow, their very last possession, for some magic beans on the way to market where he was supposed to sell it to get some money to feed them.  When Jack’s mum finds out about this, she throws the beans out of the kitchen window and sends Jack to bed without supper.  Overnight the beans grow up to clouds, and to cut a long fairy-tale short, Jack climbs up, has a great adventure, comes down with a goose that lays golden eggs, thus setting him and his mum up for life.

In the software industry, we have a similar “magic beans” tale of “silver bullets”.  Fred Brooks in 1986 claimed that there were no more silver bullets in the computing industry, where such silver bullets were “[things that] create a twofold improvement in programmer productivity over two years”.  Although Brooks was careful to limit his claim that this was only to do with programmer productivity, the silver bullet claim has be applied to any technology, technique, process, etc, that gives huge improvement or solves a major problem (that was intractable until now).

If we take Fred’s claim as law, where does this leave us with all the vendors out there claiming that X,Y or Z will solve all your problems?  Now, the computing industry is a big field, and I work in a very small part of that, so I’ll look at one very specific (but important) area - security, and to keep an even tighter focus, web software security.  Are the “silver bullets” of Web Application Firewalls, Application Scanners, frameworks, API’s and platforms really going to save us?  The answer, unfortunately, is no.

Let’s go back to Jack’s magic beans.  Once again, if Fred is correct, when Jack’s mum throws them out of the window overnight they are not going to grow into the clouds because they are not magic.  However, even if they are not magic, they are still beans - and over time they are are going to grow into a (non-magical) beanstalk.  It might not have been a great trade, but at least they have something that will continue to feed Jack and his mum (and probably a little healthier than Milk and Steak!)

So what can we learn from the tale of Jack and the (non-magic) beanstalk and software security?

The first thing is that no matter what the claims of the vendors, one solution (be it a product, service, technique, etc) will not suddenly make all security concerns go away.  However, it’s very unusual for an offering to be completely without any benefit, so with time, patience, and a little nurture, it will provide an element of sustenance. 

Let’s return to the software security field for some examples.  Will using a Web Application Firewall mean you don’t have to worry about the state of the software itself?  Of course not, and I don’t know anyone (other than perhaps sales people) that would make such a claim.  But will a WAF provide absolutely no benefit?  Also no - it would at least provide coverage  for common attacks that may hide in some dusty corner of the application that has been forgotten, and provide monitoring to give warning of potentially malicious activity.  Switching to a service now, What about penetration testing?  On it’s own, as a one-off, it’s also not going to solve all your security concerns, but as part of an on-going process combined with learning from the results it can really institute a path towards more secure systems.

As with all fairy-tales there’s some moral to the story, and as we now don’t believe in magic (beans, bullets, or otherwise), what have we learnt?  It’s very simple, and just as in the stories, something we’ve always known from the start.  Real security takes effort, happens over time, and there are no shortcuts.  There’s lots of strangers on the way that may offer us magic beans or silver bullets, and although they wont solve all our problems (despite their claims), they do often provide some benefit.

Now go eat your greens!

Category Posted in Musings

3 Responses to “Silver bullets or magic beans?”

  1. January 15th, 2008 at 11:09 pm

    Wanted: More Penn & Teller’s | Mike Andrews said:

    [...] So, this is a call out for more Penn and Teller’s of the security world.  Share the knowledge as far and wide as you can.  Let other testers, developers, consultants, clients, management, etc, etc, etc, know about the “tricks” you’ve found, describe how they work, and make the attackers (who no-doubt already have this information, and use their own knowledge networks much like the magic castle/magic circle) work harder - you’ve seen the slight of hand, and it no longer fools you. Over time we’ll expose how the “John the Magnificent”, script-kiddie-esq, tricks work leaving just the “master magicians”.  It’s debatable how much this will help, but I think moving the bar, education and knowledge is one of the remaining silver bullets. [...]

  2. January 22nd, 2008 at 7:45 pm

    Crystal ball 2008 | Mike Andrews said:

    [...] they can be used in catching certain attacks like SQL injection and XSS in their basic form, and therefore are of some use, but after these attacks are gone what is left are business logic flaws, authorization flaws, and [...]

  3. June 19th, 2008 at 9:57 pm

    VA+WAF: that’s hot! | Mike Andrews said:

    [...] However, just because it’s not a magic bullet, doesn’t mean that there’s not at least some worth behind the [...]


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>