Wednesday, July 2, 2008

are things getting better?

so i had a very nifty conversation w/ my buddy n mentor (beware: microblogging linkage) earlier tonight.

so basically we picked up on a thread that i referenced in a prev post where schneier and ranum are talking about whether or not vuln research is ethical... well, shawn and i both believe in responsible disclosure, but we went off on a tangent about something ranum said:

Not only do we still have buffer overflows, I think it's safe to say there has not been a single category of vulnerabilities definitively eradicated ... Has what we've learned about writing software the last 20 years been expressed in the design of Web 2.0? Of course not! It can't even be said to have a "design."

ok, so i completely disagree w/ the non-disclosure argument (sry marcus, you will still always be a badass in my mind ;), i completely agree w/ what he is saying here...

i don't think our software developers are making things better overall. yes shawn, we are making a ton of progress w/ improving development frameworks to have lazy coders conform to secure defaults instead of insecure ones.

but overall, i don't feel like things are getting better. and yea, it's just a feeling. but, pretend for a min that statistically we're reducing the number of vulns introduced in each piece of code via dev education and improvements in dev frameworks. it seems that despite this percentage reduction in vulns, we're seeing an explosion in growth in the number of applications as well as the types of applications (ie: web 2).

the new apps might have vulns, but they will be the same types of vulns we've seen before for the most part, and have a chance of being mitigated by framework improvements, etc.

but the new types of apps (ie: web 2 apps) are completely new threat canvases. they are doing new things in new ways which no one has seen before. this inevitably leads to new ways to do unintended things. who knows what they will be, but if there is a way to do *anything* to a few million people who are using site foobar2dotohhhh.com, someone can find value to leverage that to some nefarious purpose...

imo the verizon security report (full disclosure: atm i have only skimmed it) is telling us that the future holds a lot of badness... 90% of the breaches used exploits more than 6 months old, and 70+% used sploits more than a year old.

it isn't like we're not still seeing OS and core app vulns. the code being written for modern apps by companies trying to improve security are still failing. and don't forget about non-core vulns, like flash and pdf, which aren't secured by any type of common patching/updating framework. and then there's the web app world w/ SQL injection and web app foo. oh, and let's not forget other categories of vulnerable applications, like games... there is a lot of software out there (AV, backup software, etc) which have rights on our boxes and contain vulns...

there are more eyes looking for vulns all over than ever before. and most people haven't even started looking closely at the really new stuff everyone is flocking to. besides the fact that there are a couple of vulnerable browsers on the tubes atm... shawn thinks things are getting better, but i think if you catch his talk in vegas you might see that he's making my point for me... ;)

No comments: