Sunday, July 1, 2012

Nonsense abounds, and more is coming.

I can’t even think about reading coverage of the Amazon Web Services outage, the hype and stupidity is already overwhelming.

The cloud has failed us again!

Yes, and we have failed it again, too- as we have pretty much every preceding technology.  If I understand it correctly, the “logic” is that those who put all of their cloud services in a single zone with a single provider, a zone/provider combo with a few scars in its history at that, are somehow the victims of a failure they should have anticipated and mitigated.  Fine, everyone’s a victim, whatever.  I propose the following slogan for AWS:

AWS, we’re cheap and so are you. Do it right or STFU.

But let’s not dwell on that, recently there have been a couple of other rant-worth stories.  We can ease into full blown rant mode with this one:

“99% of attacks could be stopped by patching”

At least according to the above article in Infosecurity Magazine.  There is a huge and flawed leap required to get to this utter nonsense, and it needs to be beaten down, and hard.  The article says Microsoft’s chief UK security advisor Stuart Aston

“pointed out that less than 1% of attacks are based on zero-day exploits”

and I’ll buy that, but I would obviously like an actual reference, and you know, some of that “DATA” stuff to back up that claim.  Then it gets interesting, with an epic leap of logical fallacy leading to…

Man Leaping Mid-air on Mountainside









“The implication is clear: 99% of attacks could be stopped by anti-malware and up-to-date, fully-patched, software.”

No, it cannot. That is so very wrong, on multiple levels.  First and foremost, you cannot “stop attacks”, you can only stop or alter the consequences of the attacks.  You can stop attacks from succeeding (sometimes), and minimize the impact on your organization, but the attacks will come no matter what you do.  And no, it is not pedantic to get wound up over using the wrong terminology in a trade publication.  Get it right.  Further, the idea that “attacks” only fall into two categories, zero-day and patchable, is more nonsense.  No, patching and anti-malware will not fix logic flaws, authentication failures, misconfiguration, or a myriad of other problems.  Nonsense and drivel, stop it.

But that is really only a minor annoyance compared to the rage-inducing drivel which recently  came from Ramon Krikken, a research vice president at Gartner.


As referenced in this Search Security article, Mr. Krikken said some logical things, such as there is a clear disconnect between security and application development, and that developers are going to do what they are measured on- which is generate code, not necessarily generate secure code.  There are some other viable references and observations in there, but they madness comes from his view of Web App Firewalls and other bolt-ons:

“The application security challenge has become so difficult to address through development, Krikken said, that he instead encouraged enterprises to consider an alternative strategy that relies less on developers and more on integrating defensive technologies – like Web app firewalls (WAFs), database audit and protection (DAP) products and XML gateways – into the enterprise application architecture.”

Secure coding is so hard that we need to rely on WAFs and other bolt-ons to protect us?  But WAFs are software, and by definition must include web applications, and as we know web software has vulnerabilities, so do I need to put another WAF in front of my WAF to protect it?  How far does that go?  We have seen vulnerabilities in WAFs, and we will see more.  Also, WAFs are far from perfect, they can do nothing about most complex bugs, and can rarely handle logic flaws, so we’re just throwing another layer of complexity in the stack to add security?  Bolt-on security doesn’t have a great track record.

There is a place for WAFs, in my mind they can perform two functions very well: filter out basic internet crap, and when properly tuned (generally with custom rules) they can provide defense against known weaknesses in web applications until the code can be fixed.  WAFs are frequently bypassed, and are generally difficult to properly tune; this nonsense from Mr. Krikken has damaged application security.  He may have said mitigating things, but the takeaway is “I don’t need secure code, because that’s hard, I just need a WAF”.  And that is dangerously wrong.

If I were a cynical person, I might think Mr. Krikken has made his living in the “advising people who sell bandages to trauma patients” world of information security too long to be taken seriously.  Glad I’m not like that.

Full disclosure/reminder bits: I work in vendorland, and have for the past several years- and these vendors use analysts to help focus products and messages.  Hopefully it is obvious that I have not fallen completely under the spell of industry analysts.  (With at least one notable exception).