October 24, 2007
Looks like there was some good stuff covered at BlueHat recently. Checkout the BlueHat Security Briefings site.
The New Security Disclosure Landscape article by Rain Forest Puppy covers the state of the research industry better than most I have read recently.
The argument that RFP makes is so important.
Moral Security Researches have been protecting software end users (companies and individuals) for a long time now, with little reward. We can no longer do this with Web 2.0 (I hate that term..) and it will be the end users that pay the price.
Software vulnerabilities hurt end users more than they hurt the vendors. And now vendors have even less motivation to work with researchers… because any research becomes personal.
While this technology shift (from autonomous software packages to the SaaS model) isn’t intended to lower security, it inevitably will.
The thing is, if a researchers gets in legal trouble when they disclose a vulnerability, they wont disclose it.
Its that simple.
Software will still be vulnerable, people will still find the vulnerabilities, but the vendor won’t find out and be able to fix them. And I’m not saying that we will all over night become black hats – Once you have been Penetration Testing and researching for a few years there are a lot of vulns that you see without having to ‘touch’ the system – just that we don’t tell the vendor.
Of course, black hats will still be black hats.. and there will be more vulnerabilities for them to discover and exploit as the vendors won’t be told about them anymore.
(case in point: how much Cisco 0day is floating around now after the lynn affair ?)
This puts everyone at risk, and most importantly it breaks down the user / server trust that the Web 2.0 model requires.
So again we have a researcher working hard for everyones long term interest. For little to on gain.
DISCLAIMER: I’m not bitter or anything :-p
I agree… not only web 2.0 but also ‘rich content’ (also reluctant to use that term.. maybe we’re getting old for the internet!) =)
Check out:
http://www.internetevolution.com/document.asp?doc_id=134901&page_number=3
I am convinced that this is how the security challenge for corporations will evolve. We will again see a number of ’silver bullet’ products developed and deployed to counter these ‘threats’ and they will fail yet again!
@Dec,
It can be argued that the SaaS model overall will enhance security. ie; fix it for one and you fix it for all. It’s a numbers game. You would *expect* mature SaaS companies to also understand the risks they face, (eg; Qualys – Disclosure Again: Qualys is a business partner of SA) and provide deep layers of security and the strongest encryption. It hasn’t failed yet with good management.
But saying that, as others get on the bandwagon, we know good practice is pushed aside for critical mass of customers and first mover advantage.
DD