Friday, 13 November 2009

Part II - Why IBM will ‘solve the problem’

As one can see from Part I of this post series, IBM is current spending considerable resources and investment in the Application Security space. 

The question is, will they ‘solve the problem’? I.e. will IBM with all this investment create products (in the next 1 to 2 to 5 years) that will REALLY allow complete, thorough and maybe even ‘scientific’ analysis of Web Applications (& all its dependencies)? 

From a pure product point of view, the answer is NO (or at best maybe). 


Because from the IBM’s software division point of view (i.e. Rational), and as with all other products they sell, the objective is NOT to ‘solve the problem’ BUT to be better than the competitors 

And that is just market reality! 

It is not IBM’s fault, it is just the way the game is played. 

From a product point of view, there are no major commercial interest in ‘solving the problem’ since:
    a) most clients don’t want to pay for a problem they don’t understand they have, and
    b) in some markets ‘solving the problem’ would actually mean ‘reducing the market size’ 

In fact, one could argue that this lack of 'market incentive', is the reason why (from the point of view of a knowledgeable technical user) a large number of Security Tools and solutions never go beyond a certain level of quality and value to the customer. 

But then, why will IBM (as a company) ‘solve the problem’? 

My prediction is that over the next 2 to 5 years, IBM will solve the problem! 

Not because they want to sell more ‘security related products’ ... 

But because IBM strategically needs it ... ... add, very importantly, needs to do it under Open Standards with the support and endorsement of all players (OWASP, Framework developers, Language Developers, Governments, Security Consultancies, etc...) 

Just like Google needs people to continue to use the Internet, so does IBM need software to be secure. 

Here are a couple areas which will backfire spectacularly for IBM unless the software/application security problem is not solved:
  • Smarter Planet ( - IBM has come up with an amazing vision for the future (which I think is great) that is focused on building ‘smarter’ solutions by leveraging the interconnections and capabilities of millions of digital devices (for example building a ‘Smarter Electric Grid’ or a ‘Smarter Traffic Light System’ or a ‘Smarter City’ or a ‘Smarter Workforce’). The problem is that you can’t really have a ‘Smarter Planet’ which is built on insecure software. But why should this affect IBM’s business model? Because the number of sales and ‘smarter solutions’ that IBM will be able to sell (and make money with) will be greatly reduced due to the Risk posed to the end clients by not being able to have high ‘Assurance’ of the security and resilience of these ‘smart solutions’. And of course, WHEN (not IF) one of these ‘Smart Solutions’ is exploited by a criminal group in a high-visibility manner, the financial damage to IBM would be enormous (i.e. once one ‘Smart Solutions’ is exploited and the ‘myth’ of security is blown away, ALL ‘Smart Solutions’ will re-evaluate they RISK analysis models). But what happens if IBM does ‘solve the application security problem’? Then IBM will be able to build ‘Smarter Solutions’ that don’t have systemic failures and are able to contain and absorb malicious activities within an acceptable level of RISK.

  • Enterprise Application Development - Another reason why IBM needs to solve the ‘Application Security problem’ is because IBM itself is a major software developer who builds highly integrated, complex and very profitable (to IBM) solutions. But what about security? Well, as we say at OWASP, you can “hack your self secure” and “security doesn’t happen by accident” , so unless we change the way software is developed & deployment (from a security point of view) It will be impossible for IBM (regardless of how much money it spends) to build ‘secure applications’ for its enterprise customers. As an example of what could happen in the future (and this could also work for the ‘Smarter Planet’ example), take this FUD case study published in October’s issue of the Harvard Business Review magazine . This article talks about a Hospital that implemented a ‘smart’ IT solution and became highly optimized and productive. The problem happened (in this fictional case study) when some malicious attackers took control over that hospital’s applications and shut it down (which is very easy to do if you control the application). So what would had happened if the company that built, deployed and maintained that application was IBM?

  • WebSpere family and WebSphere portal. The WebSphere family of products (See big list here , namely the WebSphere Application Server ( and WebSphere Portal ( have a massive strategic REQUIREMENT for the resolution of the ‘secure software’ problem. In fact, I could actually make the Business Case to the WebSphere Division, that they should be spending the same amount of money IBM is currently spending with its AppScan division in JUST solving the ‘WebSphere Security Problem’. Because lets be clear, at the moment there is NO tool in the application security space that is able to handle the complexities and security implications of creating WebSphere applications. A good example are the highly customized solutions created for WebSpere customers (via 3rd party Systems Integrators) who are creating thousands if not Millions lines of code on top of WebSphere APIs whose security implications are not known/understood by the developers who wrote them.

  • Lotus Collaboration Tools ( - Lotus is another area of IBM’s products for whom the current lack of technological solutions to analyze, understand, validate and remediate the security implications of the collaboration-driven software solutions used by millions of users, presents a real business risk, for which they have NO short or medium term solution for.
I could go on and one here (IBM does have a LOT of products), but I hope I made my point that ‘Application Security’ i.e. ‘Software Security’ is a Board Room C-Level issue for IBM. 

IBM has a duty to its shareholders to minimize risks to it global sustainability and profitability, and ‘Application Security’ is an area, than when it starts to become more serious, it WILL affect IBM. 

Just like Gunnar’s vision that ‘brakes allows cars to go faster’, Software Security will allow IBM to maximize its reach and enter new markets (for example, look at how much it costed Microsoft and the windows ecosystem, the insecure state of the earlier versions of Windows). 

The best analogy that I have for the current FOG that is ‘Software Security’, is the FOG that our financial system was until last year: Highly interconnected systems, built on top of ‘products’ who nobody really understands what they are made of, which create alternative realities which ‘look like they work OK’ , until the whole thing collapses. 

See also: