Thursday, January 19, 2006

Security: as it Was Six Years Ago ...

I totally agree with this insightful conclusion from this year's SANS Top 20 (; there is no better way to summarize it than quote line from Alan Paller:

"The bottom line is that security has been set back nearly six years in the past 18 months. Six years ago attackers targeted operating systems and the operating system vendors didn't do automated patching... Now the attackers are targeting popular applications, and the vendors of those applications do not do automated patching."

But, it is not only about automated patching, by far! Security mistakes of the early operating system software, such as the venerable Windows NT IIS flaws, Windows MSRPC flaws, lack of authentication in Windows 95/98, Solaris and Linux RPC and FTPD holes and other egregious fauls of the bygone days, are about to come back in force as Oracle, Peoplesoft and other common networked business apps.

And, considering that most every app is networked nowadays, the risks are higher. The only mitigating factor is that there is much more diversity in the application world compared to the OS world. There is a dozen of major OS variants in use today (and we all know which one is by far the most common :-) at least on the desktop), but numbers of actively used applications are in high thousands. Thus, Dan Geer's monoculture argument[PDF] works in our favor.

However, while it will make world a bit more secure, it might make an individual application user a bit less secure due to less attention being paid to secure your particular app. Thus, if you happen to be owned through an obscure "third party" application, you have nowhere else to blame but your software vendor ...

Dr Anton Chuvakin