Attacks on Apps

By Baselinemag  |  Posted 2006-08-09 Print this article Print

A top computer security expert outlines the latest threats and how to avoid them.

Attacks on Apps

Q: You raise the point of software quality. Now, there are even reported vulnerabilities with the Mac. Will we ever not have to worry about the quality of software?

A: It's way, way beyond Microsoft, Oracle, Sun, HP, Mac. What we're seeing now is this new generation of people attacking various applications, whether it's word processing programs or shopping carts online.

What we're seeing is people going after the application because, while we've been focusing on doing a better job of patching network operating systems, routers and all that other stuff, the bad guys have shifted to attacking applications.

I don't think we're ever going to be in a position where we 100% no longer have to worry about software vulnerabilities. But I truly believe we will reach a point sooner rather than later where the volume goes down significantly—where you don't have your monthly release of another 10 patches. [I can see] where once a quarter you may have one or two bug fixes.

And I say that from two different perspectives. One, there is a lot more training and education going on for developers on how to write secure code. And the second thing, there are a lot more automated tools that are available out there to keep you from having to personally review 11 million lines of code. That gives you the ability to use automated tools to search for vulnerabilities, even complex vulnerabilities. And flag them before the applications are even compiled, so those things can be repaired before they get shipped.

Q: First the operating system. Now the application. What are people going to have to worry about next?

A: Look at the OSI model [the standard seven-layer framework for communications—application, presentation, session, transport, network, data link, physical]. I forget where the question came up, but somebody asked on the OSI model, at which layer do we need to worry about security? And the correct and easy answer is, all seven layers.

You can never ignore these things. What you have to do is defense in depth.

Q: When it comes to security breaches, what's the biggest obstacle facing CIOs?

A: From my experience, the biggest impediment seems to be the lack of understanding that it could happen to them. Oftentimes, people read about someone else and say, "Boy, I'm glad that wasn't me."

But one of the questions they should be asking is, if someone were to try the same thing with us, what's the likelihood of it succeeding? And then, based on that answer, look at the business model. [And then they need to figure out if] they just need more diligent monitoring. Do they need to add some tools?

Q: What are top three things you recommend CIOs and CSOs do?

A: One, first and foremost, meet regularly with and listen to your security people. The security field has matured from the old days, [with] security being the people saying, "No, no, no, you can't do this," to, "I can help you solve your business processes by deploying good security." Because nobody wants to be on the front page of the newspaper saying a bad thing happened.

The second thing is set up a what I generally refer to as a business risk council, which brings in the security folks, the I.T. folks, the finance folks, the HR folks and the business leaders, and basically makes decisions not only around policy but also technology, impact, and basically being able to deal with the whole development of the culture of security within the company.

And the third thing is, this is an issue that has to come from the top. I just met with the CEO and chairman of one of the largest financial companies on the East Coast. And one of the things we discussed very specifically is that this is not something where you just send out e-mail once a quarter from the CSO or the CIO or the HR people [that says], "Don't forget to change your passwords."

It's got to be something that's built in from the top on down—a core way of doing business.


Submit a Comment

Loading Comments...
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.