2009 Info Security Predictions: Part I
Traenk ruminates over what's likely to hit security professionals in the coming year.
About.com's Tony Bradley found an interesting set of predictions: Top 10 things unlikely to happen in 2009. It's a whimsical, satorical list of things that include items like, "No more devices lost--ever".
Maybe you think such sarcasm is worth missing or not mentioning? I found the list fascinating. Security trends are highly apparent, yet too many organizations refuse to view and respond to them.
Info Sec has never been an easy sell, but it seems to be getting tougher. Let me know what you think in a response.
My predictions begin with one that alarms me most: Software and application security become a distinguishing trait amongst vendors.
- Once Microsoft tightened the default install of SQL Server (often used with Visual Studio and other products), the hackers turned their knives onto Oracle, with disasterous results.
- CanSecWest2008 ripped through Mac OS X in minutes. Vista was only shredded once the judges were instructed to install Flash and visit a site with carefully crafted Flash content. Linux stood tall after carefully patching the entire system to each individual application's specifications, something typically not seen on desktops.
- Security researchers find security vulnerabilities with several Software Update sites. Malware masquerades as security-checking software.
In short, with so many firewalls being enabled by default and with operating systems getting improved settings, settings that disable running code by default, the battle now focuses on those software vendors that underestimate security needs. Eager hackers and security researchers are targetting the utilities or Enterprise-grade big tools as their next gateway into your organization. What's your response been?
Of course, many of us are aware that all software has security issues. Others will condemn Flash as having too many holes. Still others will complain about all those Microsoft patches. Still others will use news about Samba patches as a big indictment against Open Source.
We Info Sec Pro's know that all code fails. Patching is a monthly exercise, now that Organized Crime and other groups make software security a financial proposition. But the Decision Makers' confidence seems shaken by the whole mess.
So here's the question I pose to all software developers: at what point will rushed patches and lousy security design, zero-day worms stopping organizational networks, and Internet chatter against your product stop or slow its adoption rates in favor of alternatives? Don't you think it's time to begin sound, secure software development practices?
I'll post more predictions as time permits. Until then, I'm performing maintenance on my Kawasaki Concours motorcycle.