Security Posture

“Posture is Destiny” – Sensei David Martin

I submitted two talks last year to Defcon which were both summarily declined.  While disappointing, in retrospect it’s been for the best.  I have subsequently given both, though the one that sits close to my heart is focused on the phrase “Security Posture.”  Posture is such a dear and important part of my life I feel as though I should offer something on the topic, since the current usage is such a travesty.

The phrase “Security Posture”, is frequently used in our industry– however to date, I’ve not been able to find a single attempt to actually define it.  Oh sure, you will often hear folk say, “this negatively impacts your security posture” or “you need to improve your security posture”– and since it’s never defined, it appears that everything* seems to affect your security posture.  And yet, while I believe I get the general gist of what people mean– I’d rather not play around with non-actionable vagaries.  I think its more important to understand what posture actually is first and then apply our understanding of that in relation to security.

In a Webster dictionary sorta sense (sorry not Oxford)– posture is composed of structure and emotion both focused around a particular purpose.  I like to think of posture as a predisposition toward action.  The physical component is that of structure and alignment cohesively applied to achieve a specific goal.  The emotional components are attitudes an even values that develop to assist in achieving that goal.

For instance, runners assume a very different posture for a long distance race vs. a short sprint for speed.  The posture they are assuming is specific to the action they wish to achieve– it’s optimized for it.   Not only do racers garner their physical resources toward efficiently achieving that goal– but they also adopt a mindset that gives them the wherewithal to complete and endure the race.  They are in it– all of their body, all of their mind, all of their heart, to win. And when that happens, it’s a beautiful thing.

People who are chasing a quality posture, generally, go through a structured and demanding process of very persnickety attention toward it.  Think of the countless hours masterful baseball players practice swinging a bat, or dancers work their lines.  Their ability to make their bodies resemble the model of peak posture in a given system  would be how we could reasonably measure its quality.  We could also measure their posture in a less mechanical way by evaluating it in relation to the values of their system.  Saying something like, “you appear to be forcing this movement” reveals a value statement toward forcing something as being bad.  Some of those values are unique to a given system, but not always.

Sadly– and perhaps because it’s such hard work, most people have very horrible posture… especially computer folk.  And yet, we’ve gotten this far in life with out it.

I mean think about it, how many people reading this post are hunched over their computer with their shoulders rolled forward**?  How many people really consider biomechanics when picking up a cup of coffee?  Yet, in both cases we are still capable of achieving those tasks.  But it’d be a lie to say its quality.  In fact, when the assumptions we make about those tasks are altered we often fail.  Who do you know has hurt themselves by trying to pick up a “light box” that ended up being much heavier than they thought?  In addition to those short-term dangers, there are also long-term risks associated with poor posture.  Poor posture may indeed ruin you.  I cannot stress how hard it’s been (physically) correcting issues with my shoulders associated to poor posture.

But I digress– We still haven’t actually defined what security posture is.  Unfortunately, however I tricked you– because I’m not going to bother to attempt it.  I believe the phrase is utterly useless in the general sense because it’s not specifically talking about anything other than a vague notion in the first place.  Unless you are applying the phrase to a specific subset of business processes, and even then to a specific strategy associated with the belief of success– you cannot measure the quality of a security posture.  If all that sounds like I’m nuts, consider trying to evaluate a baseball players posture using criteria of quality a soccer player might need.  Or measuring a fencing posture by using some classical Japanese sword school as a measure.  The comparisons would be unrealistic and unfair to judge because the qualities and values are simply not the same.

The only fair way to measure the quality of a given security posture, would involve first understanding what a company was attempting to secure, and how.  For instance, I could fairly and accurate evaluate a company’s security posture as it relates to the very well-defined SDLC from Microsoft.  There are defined technical and behavioral measurements all along the board which allow for fair and accurate evaluation.  Perhaps even more important, there is a pre-existing standard of “good” posture as it relates to it– Microsoft itself.  Now, before you go all crazy– that’s just one strategy applied to one set of security goals, associated to a very specific subset of security (development).  Whether or not that strategy is successful is a whole different problem– and is no longer a question of quality but of effectiveness.

Quality and effectiveness of posture are two radically different problems.  One could have a high quality posture that is frankly ineffective to solve a particular problem, or any at all.  Baseball players assume a given posture for the sole reason that they believe it to work.  To prove a posture’s effectiveness, it has to actualize the result you expect given the problem it’s supposed to solve.  Ergo– we can talk about batting posture all day but when the rubber hits the road can you hit the ball?  Additionally, how many types of pitches can you solve with a given posture– and how quickly can adjust to a new pitcher– all things one might want to ask before they dedicate themselves toward a particular study.

I’m personally focusing my energies on understanding what constitutes an effective strategy first, because right now I think we are scratching in the dark.  I believe it’s possible to assert an understanding of effectiveness based on experience and actual measurements.  Perhaps even some experiments are needed.  Once that strategy has proven itself effective, only then will I worry about measurements against actionable items and values to reproduce it.

On that same note, we should recognize that there are many issues in “security” that are simply affectations of poor postures and brokenness elsewhere in the system.  I have heard respectable security people say that it would take a team “2 weeks to fix a SQLi problem!” as justification for using a WAF*** to buy some time.  While, yes indeed that is a strategy–  ironically, that was nearly the same argument the French used (response time) for the creation of its Maginot Line.  We all know how effective that was.  The French adopted a defensive posture as a means to handle a perceived threat, but in doing so ignored the brokenness of their own army.  Furthermore, by adopting that specific posture they also told the Germans EXACTLY how to circumvent it– their security posture was the essence of their downfall.  I cannot help but wonder what it might have looked like if they invested time in better training their armies to be responsive and adaptive.

So what are your take aways…

If you need to help a company/individual/industry understand how a decision might affect their ability to achieve an outcome– don’t be lazy.  Either apply it to a particular grand theory like an SDLC, or at the very least a set of best practices.  You need to have some measure of proof that your recommendation will positively or negatively impact the system– or it’s just speculation.

There are many available strategies on developing applications securely available today.  Microsoft’s SDLC is one, but there are others such as the OpenSAMM project.  You can accurately measure the quality of posture in companies who have chosen to follow those systems– however for companies who haven’t established a plan or reason for why they do things, you cannot.

Quality of a posture is not the same as effectiveness.  One can do many effective things, but not have any strategy or reason for doing them.  While that might seem appealing, it’s hardly repeatable and often not consistent.  I don’t believe “being lucky” should be considered a strategy.

If posture is predisposition to action, you should also consider that it may limit other actions.  I’ve not met very many successful soccer playing baseball players who concurrently are trying to fence.  I’ve met very many unsuccessful people who talk about doing all that at once, however 🙂

To achieve a posture capable of numerous goals, you have to expect tradeoffs.  Those trade offs cost something and you should be mindful of that.  If security isn’t a priority and value throughout the company, you should expect that shape the outcome of all your products.  Microsoft was willing to stop production and not release software for months until it fixed some security issues.  How many companies do you know who are willing to do the same?

You always have a posture, even if there is no strategy associated to it.  I like to refer to that as assuming the posture of about-to-get-your-butt-handed-to-you posture.

Oh– security is holistic because sun tzu says so.


** I corrected my posture 2 times while writing this 😥
*** There are places where technologies can be used (yes, even WAF) properly to support a goal.  But if you are so invested in a particular posture, how could ever expect to be to handle new challenges and information quickly and appropriately?

Post a comment or leave a trackback: Trackback URL.


  • Andre Gironda  On January 26, 2011 at 3:57 pm

    Excellent writing! I’m excited to hear more on your views about security posture.

    How do you feel about operational metrics such as the OSSTMM STAR (report) based on the ISECOM RAVs (measurements) as “security posture”? The basic idea here is that there is “perfect security” based on the right kind/amount of controls for entry points.

    Also, you appear to focus on appsec by mentioning the SDL and OpenSAMM, but I’m curious as to how we should apply the concept of posture across all infomation security domains.

    • pinvoke  On January 27, 2011 at 7:18 am

      @Andre: I don’t know much about those specific systems– but it sounds like you could measure quality of a company in relation to them. That is, if the value is to place particular controls at entry points, your measurements are clear. Companies that are doing that are aligned to the strategy they are proposing.

      However, that doesn’t mean it’s particularly effective (or ineffective). With regard to the SDLC for instance, I can prove definitively that if you follow the process you will have reduced security bugs. But I cannot prove that reduced security bugs protect your code adequately. To the contrary, evidence is available despite reduced known security bugs– unchecked assumptions, unknown security vectors, and other such processes can still drastically undermine security.

      That doesn’t mean either are bad, just that we should understand the measures of quality and effectiveness are separate. Personally, I think we need to evolve beyond SDLC and chase for something more effective. Short side note about posture– wherever it hurts, that’s likely because you’re doing something wrong. 🙂

      As far as your last question goes– we should talk more later. There is a lot more to posture that I have yet to unpack.

      • Andre Gironda  On January 27, 2011 at 8:37 am

        I like CVE and CWE, however you are right — these potentially are inappropriately and in-proportionally checked for assumptions/vectors/whatever. Qualys QG doesn’t check appropriately for CVE (not even when combined with Nessus, neXpose, CORE Impact, Metasploit Pro, CANVAS, et al) and HP or IBM don’t check appropriately for CWE (not even when combined with Checkmarx, Armorize, Veracode, Klocwork, Coverity, GrammaTech, PRQA, Parasoft, LDRA, or even KDM Analytics).

        Re:”where it hurts”: Reminds me of the seemingly eerie fact that most system and data breaches are due to a breakdown and/or gap of several controls (not just a major one). Also reminds me of the common medical joke about how to fix problems: PATIENT — “It hurts when I do this, doctor”; DOCTOR — “Well don’t do that then”.

        The basics is that external breaches occur because of targeted phishing + client-side exploit attacks OR SQLi/CMDi/XMLi/RFI attacks OR SSH/RDP/SMB attacks — often in combination with each other and often utilizing basic network pivot capability e.g. WiFi, Ethernet, VPN, webapp form authn, AD/SSO authn, etc.

        In this way, simple visibility around those entry points should be the primary control (e.g. disk/process/memory integrity monitoring coupled with change management, APIDS/AppSensor-like monitoring, logging/instrumentation, auditability/accountability with rotation/separation of duties), with “boundary based” secondary controls of attack surface reduction (i.e. less entry points), parameterized/secure queries, etc — and “passive, always-on” tertiary controls of exploitation countermeasures, component or framework based data validation/encoding, and sufficiently secure network transmission for sensitive data. You might be able to see where firewalls, antivirus, IDS, and SSL fit into the above — but notice how I didn’t call them out explicitly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: