To the non-security community it must appear that the bad guys are smarter and more organized than the security professionals, and that may be because:
- The 'Good' are talking about security, acting in silos and creating bloated security frameworks that measure controls but not risk;
- The 'Bad' are acting to get results, getting better at it and getting better outcomes;
- The outcome is just plain Ugly.
Is Rhetoric bad? It can be if it does not spark the required actions. It can be if it’s not loud enough when it needs to be.
If we were speaking louder or smarter would we not point out that "shutting the entire Internet domain down due to infringing material on a single web page" as proposed in SOPA is akin to treating a headache with a hammer?
As in anything reactive, it will not address the real issue and will cause more harm than good. Right intention, wrong action.
We should also highlight security implications of the explosion of smart phone usage and its growing trend. We are rapidly heading toward a mobile Internet world. IDC forecasts mobile Internet users to grow by 16.6 percent annually and surpass PC and other wireline users by 2015.
Boston Consulting Group estimates value of the web economy in G20 countries will nearly double by 2016. But is this sustainable without an proactive and strategic security and privacy foundation? So what is the security foundation we can set in place?
If there is one area that screams for a security grassroots effort and proactive action it is the creation of mobile applications that are secure and protect user privacy. We are aware of the issues such as:
- Traditional access control is simple, but permission-based access has become very challenging – applications request the user’s permission to access sensitive data explicitly. We are expecting users to be system administrators without adequate training, which is not feasible. More on that in a later posting.
- Secure application distribution – verification, author identity etc.
- Encryption of sensitive data stored on the devices and during transmission.
- Isolation of applications.
- Perils of using device IDs for authentication
There are established guidelines and standards on secure development from groups such as OWASP, vendors and security professionals around these issues which can be used by businesses creating applications.
The question is how to achieve acceptance and adoption of these standards in the application DNA. What is required is a gatekeeper?
I cannot think of a better gatekeeper than the application stores – Android marketplace and Apple’s App Store. They are in the position to list security as necessary criteria for acceptance.
Also, both Apple and Google have application interfaces that developers can use for secure development. They have to better publicize the existence and training for the developers in order to aid adoption.
Another area that is low hanging fruit for fundamental security - commercial web sites. For starters, they should assimilate due diligence for third parties, especially advertisers.
One cannot assume partners are doing the right thing, even large companies with credibility. A large bank recently was in the news recently for a security breach due to an ‘indirect object reference' vulnerability, an application security vulnerability that has been on the OWASP top 10 for years.
I am surprised they did not bow their heads as an apology as in the case of SONY (I have defined a proactive Secure SDLC program for a non-financial company and cannot reconcile to a negligent security development approach in financial industry, sorry).
Web sites should ensure advertisers do not have security vulnerabilities or contain harmful content. Both are equally important as there have been precedents of good ads being corrupted due to vulnerabilities.
Malicious advertisements have spiked in the last year and are a popular and extremely efficient avenue for exploiting web browsers. Some companies block all advertisements on their networks but make exceptions for marketing teams who need to view them for business purposes, so at best they narrow the threat window but do not eliminate the threat entirely. Average home users now face the highest risk of infection by malvertisements.
These are two suggestions, I am sure there are a lot more. Let’s start somewhere…