Information Security

It was good to see the topic of data security enter the conversation in 2007, it's the next frontier of security and a really big, nasty, hairy problem. There aren't any good answers to the issue quite yet, but a lot of smart folks are working on it. This is one of the areas to definitely keep your eyes on in 2008.

Incite #7 - The Information Strikes Back

2007 finally brings acknowledgement that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-7-the-information-strikes-back
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-12-2007

Final grade: B+

A funny thing happened on the way to the final grade for this Incite. The industry started to acknowledge the fact that securing data is different, and that applications are the path of least resistance to your data. Given the imminent chaos around virtualization, SOA, and continued focus on private data driven by PCI (more on that later), security professionals no longer have an option in trying to figure out how to secure their information/data.

I think we all acknowledge that the right answer is to build secure applications that aren’t subject to simple XSS and SQL*Injection attacks. Of course, that requires that our developers get religion about secure coding practices and that our executives get comfortable with the fact that applications shouldn’t ship unless they are secure.

Right, it’ll be a cold day in hell when that happens. So what’s Plan B?

Basically we have to continue working around the issue, by doing application scans, pen tests, and maybe even implementing some database and web application defenses to try to work around the fact that our developers don’t care about security.

If there was ever a space that is crying for some disruption, it’s the data security market. The current methods are band-aids at best. Not that I’m talking about 2008 yet, since we haven’t put 2007 to bed – but we need to think differently about data security. Fundamentally differently. That means we’ll need to think about how to secure the fundamental element of data, wherever it is because we can no longer assume that we only need to protect the data within our environment.

I gave myself a B+ on this one because I was largely right, we’ve got a lot of acknowledgement about the depth of the data security issue – but precious few idea on how to really solve it.

Check out the other posts in the Report Card series.

2007 finally brings acknowledgment that data/information security is different than protecting the network and servers. Yet, there is a major skills shortage in folks that understand how to protect applications and databases, resulting in accelerating interest in application and database security product offerings. But history will repeat itself, as a “fool with a tool” is still a fool, which doesn’t help customers solve any problems.

Read the rest of the 2007 Incites here.

It was back in February of 2006 that I first published a skeleton construct that I called the “Pragmatic Security Architecture.” [link] I basically spelled out that data/information security is different than protecting infrastructure (servers, networks, etc.) and should be treated as such.

I was right. I’m usually not one to gloat, but… Well, of course I am, so I’m gloating.

Just because we know understand the problem, doesn’t mean we are anywhere close to fixing it. Why? Because looking at security from an application view is foreign for most security folks. Looking at the fundamental elements of data is even more foreign.

So what we have here is a business with many folks that are just ill suited to protect applications and data. In 2007, the extent of this problem becomes clear. Jeremiah Grossman did an interesting analysis that shows just how significant our skills shortage is here. That was an “oh, crap” moment for me.

What now? Basically, since we don’t have the people to do the job, we have to rely on tools, which are not a good answer – but probably the only one we’ve got in the short term. So there will be lots of interest in application scanning tools and application firewalls, as well as database scanning, monitoring, and “firewalls” will also be very interesting to folks.

These tools will eliminate the low hanging fruit. You know, obvious configuration, permissions, and cross-site scripting issues. But they won’t solve the business logic issues that plague many applications. There is no tool to solve that problem.

Given the consistent issues around application flaws, developers will finally start to “get it” and begin using more structured secure coding practices. You’ll also see more folks start to use security testing tools (beyond scanners) to make new applications run the gauntlet before they are let loose on the world.

Finally, we’ll see application security as the focus of the next wave of education and training for security professionals. When the skills don’t exist to solve the problem, you can pray for manna from the heavens, or you can go grow your own application security professionals. Let’s just say, I don’t expect to be hit upside the head with a baguette falling from the sky anytime soon, so it’s time to go to class.

Looking at the information security issue is very much like watching The Empire Strikes Back. At the end, you are depressed because it seems like the bad guys are winning, basically because they are. And we don’t get to see the sequel for another 3 years.

A while back I published my OPML reading list (here), so you could get a slight glimpse of what I'm reading. Unfortuately that service is static and I'm too lazy to keep it up to date. But my friend Pito Salas, who does BlogBridge (my RSS reader) has graciously published my dynamic reading list as a BlogBridge expert guide. I'm not sure I'm the expert of anything, but nonetheless...

Basically this is a list of the top security blogs that I read. BlogBridge has this cool rating system where I use 1-5 stars to rate each blog. Then it is organized accordingly when new material comes in, which makes getting through my news much easier. I track close to 100 security blogs now, but only about 30 rate 3 or more stars.

So check it out those 30 here. The OMPL link is here.

If you happen to use BlogBridge, this is really cool. You can add my reading list as new guide. Go to Guides-Add Guide. Then click the "reading list" tab and hit the plus button (on the bottom left) and add the OPML link: http://www.blogbridge.com/directory/folder/1592.opml. Then any time I update my reading list, yours will be updated automagically.

Thanks Pito. BlogBridge is great.

Technorati Tag: information security