2007 DOI: Day 7 - The Information Strikes Back

2007 finally brings acknowledgment that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

Read the rest of the 2007 Incites here.

It was back in February of 2006 that I first published a skeleton construct that I called the “Pragmatic Security Architecture.” [link] I basically spelled out that data/information security is different than protecting infrastructure (servers, networks, etc.) and should be treated as such.

I was right. I’m usually not one to gloat, but… Well, of course I am, so I’m gloating.

Just because we know understand the problem, doesn’t mean we are anywhere close to fixing it. Why? Because looking at security from an application view is foreign for most security folks. Looking at the fundamental elements of data is even more foreign.

So what we have here is a business with many folks that are just ill suited to protect applications and data. In 2007, the extent of this problem becomes clear. Jeremiah Grossman did an interesting analysis that shows just how significant our skills shortage is here. That was an “oh, crap” moment for me.

What now? Basically, since we don’t have the people to do the job, we have to rely on tools, which are not a good answer – but probably the only one we’ve got in the short term. So there will be lots of interest in application scanning tools and application firewalls, as well as database scanning, monitoring, and “firewalls” will also be very interesting to folks.

These tools will eliminate the low hanging fruit. You know, obvious configuration, permissions, and cross-site scripting issues. But they won’t solve the business logic issues that plague many applications. There is no tool to solve that problem.

Given the consistent issues around application flaws, developers will finally start to “get it” and begin using more structured secure coding practices. You’ll also see more folks start to use security testing tools (beyond scanners) to make new applications run the gauntlet before they are let loose on the world.

Finally, we’ll see application security as the focus of the next wave of education and training for security professionals. When the skills don’t exist to solve the problem, you can pray for manna from the heavens, or you can go grow your own application security professionals. Let’s just say, I don’t expect to be hit upside the head with a baguette falling from the sky anytime soon, so it’s time to go to class.

Looking at the information security issue is very much like watching The Empire Strikes Back. At the end, you are depressed because it seems like the bad guys are winning, basically because they are. And we don’t get to see the sequel for another 3 years.