Commentary on Security Absurdity

I’m slowly catching up on some of my reading these days and I finally managed to chew through Noam Eppel’s article titled “Security Absurdity: The Complete, Unquestionable, And Total Failure of Information Security”  With a title like that you would obviously expect a fair and balanced treatment of the Information Security profession :) but the article is actually very well written.  I’ll reserve ultimate judgement until the second part comes out with solutions to the litany of problems expressed in the first installment.  Without any solutions this is just a rant of which there are plenty already available in the information security space.  However the article does a great job of enumerating various failures across the information security spectrum with many links to specific incidents.

I did have some issues with his treatment of web application vulnerabilities, however.  Most of the section is focused on various website defacements.  Personally, I thought any serious cracker got over defacing web pages in the late 90s.  Web site defacements are damaging to an organization’s credibility which is critical especially in industries in financial services.  But I am more concerned about web attacks that are more subtle because those are the ones that never get noticed or reported.

These allow online attackers to stealthfully pilfer information and create fraudulent transactions.  A web site defacement happens and probably gets cleaned up in a day and everyone knows to be on the lookout.  If an attacker finds a software vulnerability in a custom web app and doesn’t make a big deal of it they are in a much better position to cause damage over the long term and that means that more accounts get compromised, more information gets stolen and more damage occurs.

Web site defacements certainly aren’t good – but organizations need to really be worried about the attacks they don’t know about.  So in addition to locking down web and application server configurations organizations also need to adopt risk assessment and secure coding into their methodology.  Until that happens getting their website defaced might be the best security day they have.

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *