Michael Howard 10:48 pm on May 7, 2021  

Revisiting some thoughts from almost 20 years ago

Before you start reading this, I want to point out that there is no point to this article other than to revisit something I wrote almost 20 years ago and the fact that it’s as true today as it was ‘back then.’

When I look back on my career, one event that really stands out is co-authoring Writing Secure Code with my good friend David LeBlanc. At the time, he was in Office and I was in Windows. The first edition was about 500 pages long and then we wrote the 2nd edition in 2002-2003 and it was almost a complete re-write of the book at 815pp.

During these years, the impact of the 9/11 attacks on the US made terrorism front-and-center and people thought more about asymmetric warfare. This got me thinking about what is it that makes it so hard to protect systems from attack and exploit? One answer is “Asymmetry”.

Internet-based attacks are obviously an asymmetric concern, just like terrorism.

So, while writing Writing Secure Code 2nd Ed, and in the interests of coming up with a catchy phrase, I came up with:

The Attacker’s Advantage and the Defender’s Dilemma

Catchy isn’t it? šŸ™‚

The four principles are:

  • Principle #1: The defender must defend all points, the attacker can choose the weakest point.
  • Principle #2: The defender can only defend against known attacks; the attacker can probe for unknown vulnerabilities.
  • Principle #3: The defender must be constantly vigilant; the attacker can strike at will.
  • Principle #4: The defender must play by the rules; the attacker can play dirty.

Essentially, all these principles hark back to asymmetric conflict.

This asymmetry favors attackers and sadly, as defenders, we are always on the back foot. Which simply means we have to do more to protect our systems from attack.

You might be wondering what on earth made me think of something from 20 years ago? A topic was brought up on LinkedIn by another friend and ex-colleague, Adam Shostack. This is what jogged my memory.

Take a look at the article and I think you’ll agree “The Attacker’s Advantage and the Defender’s Dilemma” is as true today as it was 20 years ago when David and I wrote WSC 2nd Ed.

-Michael