I can’t even think about reading coverage of the Amazon Web Services outage, the hype and stupidity is already overwhelming.
The cloud has failed us again!
Yes, and we have failed it again, too- as we have pretty much every preceding technology. If I understand it correctly, the “logic” is that those who put all of their cloud services in a single zone with a single provider, a zone/provider combo with a few scars in its history at that, are somehow the victims of a failure they should have anticipated and mitigated. Fine, everyone’s a victim, whatever. I propose the following slogan for AWS:
AWS, we’re cheap and so are you. Do it right or STFU.
But let’s not dwell on that, recently there have been a couple of other rant-worth stories. We can ease into full blown rant mode with this one:
At least according to the above article in Infosecurity Magazine. There is a huge and flawed leap required to get to this utter nonsense, and it needs to be beaten down, and hard. The article says Microsoft’s chief UK security advisor Stuart Aston
“pointed out that less than 1% of attacks are based on zero-day exploits”
and I’ll buy that, but I would obviously like an actual reference, and you know, some of that “DATA” stuff to back up that claim. Then it gets interesting, with an epic leap of logical fallacy leading to…
“The implication is clear: 99% of attacks could be stopped by anti-malware and up-to-date, fully-patched, software.”
No, it cannot. That is so very wrong, on multiple levels. First and foremost, you cannot “stop attacks”, you can only stop or alter the consequences of the attacks. You can stop attacks from succeeding (sometimes), and minimize the impact on your organization, but the attacks will come no matter what you do. And no, it is not pedantic to get wound up over using the wrong terminology in a trade publication. Get it right. Further, the idea that “attacks” only fall into two categories, zero-day and patchable, is more nonsense. No, patching and anti-malware will not fix logic flaws, authentication failures, misconfiguration, or a myriad of other problems. Nonsense and drivel, stop it.
But that is really only a minor annoyance compared to the rage-inducing drivel which recently came from Ramon Krikken, a research vice president at Gartner.
As referenced in this Search Security article, Mr. Krikken said some logical things, such as there is a clear disconnect between security and application development, and that developers are going to do what they are measured on- which is generate code, not necessarily generate secure code. There are some other viable references and observations in there, but they madness comes from his view of Web App Firewalls and other bolt-ons:
“The application security challenge has become so difficult to address through development, Krikken said, that he instead encouraged enterprises to consider an alternative strategy that relies less on developers and more on integrating defensive technologies – like Web app firewalls (WAFs), database audit and protection (DAP) products and XML gateways – into the enterprise application architecture.”
Secure coding is so hard that we need to rely on WAFs and other bolt-ons to protect us? But WAFs are software, and by definition must include web applications, and as we know web software has vulnerabilities, so do I need to put another WAF in front of my WAF to protect it? How far does that go? We have seen vulnerabilities in WAFs, and we will see more. Also, WAFs are far from perfect, they can do nothing about most complex bugs, and can rarely handle logic flaws, so we’re just throwing another layer of complexity in the stack to add security? Bolt-on security doesn’t have a great track record.
There is a place for WAFs, in my mind they can perform two functions very well: filter out basic internet crap, and when properly tuned (generally with custom rules) they can provide defense against known weaknesses in web applications until the code can be fixed. WAFs are frequently bypassed, and are generally difficult to properly tune; this nonsense from Mr. Krikken has damaged application security. He may have said mitigating things, but the takeaway is “I don’t need secure code, because that’s hard, I just need a WAF”. And that is dangerously wrong.
If I were a cynical person, I might think Mr. Krikken has made his living in the “advising people who sell bandages to trauma patients” world of information security too long to be taken seriously. Glad I’m not like that.
Full disclosure/reminder bits: I work in vendorland, and have for the past several years- and these vendors use analysts to help focus products and messages. Hopefully it is obvious that I have not fallen completely under the spell of industry analysts. (With at least one notable exception).
Jack
5 comments:
I'll bite that 99% of attacks can be stopped by patching, but say that that's 99% of attacks that are not due to misconfiguration, default passwords, physical attacks, SE attacks, etc.
Reminds me of http://taosecurity.blogspot.com.au/2012/04/salvaging-poorly-worded-statistics.html if you haven’t already read it you might enjoy it. Basically Richard talks about statistics being twisted to sound snappy but then lose all contexts and without context are they meaningless.
If I were a cynic I might think you make a point by quoting out of context and painting me with a broad "must be vendor-driven crap" brush ;)
Not even two sentences later it says "[...] externalized components such as WAFs should be used in concert with code frameworks and platform features to fill in security functions."
This is not about switching build-in for bolt-on. It's about a balanced diet. And the code fixing part of the diet has to be made easier for developers - hence the framework discussion, although I really wish there were more/better ones out there by now.
However, It's also about overcoming this notion that security technologies must by definition be band aids. I don't believe it's healthy - especially in the short to medium term - to automatically put the cone of shame on everyone using WAFs, DAPs, and XML GW features for protection. It's not for everything and everyone, but I definitely see value there.
Unfortunately it was translated into "alternative strategy" in the article - but a replacement is clearly not what I advocate.
Anyway, I think it's a valuable and necessary discussion, and one I will definitely keep up. I'm sure you will too!
Looking at the article again I don't think the essence of what I'm trying to say comes out clearly - so here's straight from the analyst's mouth :)
http://blogs.gartner.com/ramon-krikken/2012/07/02/creating-an-appetizing-and-healthy-application-security-diet/
Tim- I'll buy that those attacks can be stopped from succeeding, but they will be launched anyway (pedantic point, but that's me.
HybridAU, yep, that's a good one by Richard, and it is a common (and not new) issue.
Ramon- OK, it looks like we're closer than it first appears. Good response, folks should read your post. And of course I'm cynical and hyperbolic- no one is surprised there.
Post a Comment