Dailydave mailing list archives
Re: Twitter: (verb) to fail under exponential growth
From: "Marc Maiffret" <mmaiffret () inveniosecurity com>
Date: Sun, 29 Jun 2008 17:41:58 -0700
-----Original Message----- From: Dave Aitel Talking with my British friends lately they're all quite obsessed with trash. For good reason, I assume, since they now have strict recycling
<snip> I am not sure what unsustainable growth in human garbage or number of virus signatures, really has to do with security tools not taking the extra step in automation. Vulnerability Assessment, and Code Bugs do not create an exponential amount of findings but rather a steady stream, mileage may vary. Some could argue they are exponential in their databases of things to scan for but that is not true with code bugs and in the case of VA typically there is a lot of superseded patches where you are looking for the latest rollup rather than the 100 bugs that led up to it. But I'm digressing...
I've always wondered about the rest of our technology that fails in a similar way. Why do our application assessment tools not also fix the bugs they find? If you're trying to buy web application scanning, then your scanner should also be updating the application to fix those pesky SQL Injection bugs. Your binary/source analysis tool should be svn commiting patches to fix your overflows. If you have to rely on a developer to understand the bugs themselves, it doesn't scale. Your network attack tool should upload and run the right patch automatically.[1] Does the modern generation of scanners do this?
Automation can be a great thing or it can be a bane. To many times these days technology caters to laziness or as Band-Aids to human stupidity like the difference between side airbags and cars that can parallel park themselves. Coding mistakes are a human problem, not a technology one. You very well could create an asp source code scanner that not only fixes but patches vulnerabilities but most likely the humans that write that program will fail at thinking about all of the nuances in coding and build processes across organizations and therefore completely f-things up in the process of automation. And at that point we would probably have forgot why we wanted to automate this in the first place. Because we have tools that can already pinpoint code problems but companies are too lazy to care to get them fixed. For smaller companies they just simply have no idea what any of us are currently talking about and probably outsourced their website to someone equally as clueless and none of these people are making enough money to afford to build things the right way[1]. Which is why Google Apps and Microsoft Live is doing it all for them. They can afford to do it securely and hopefully care enough to. For large companies though it would simply cost them more time/money to try to use automated code fixing tools than tools that detect potential problems that are reviewed by educated developers. And I can hear it now, "developers don't know anything!" and I completely agree but that is the root of the problem and where the money should be spent more than anywhere else. The complexity in security is not from any complexity in technology but the complexity in motivating people to truly care about security and act accordingly. Non-accidental Murder by Technology will help speed peoples thinking along.
- -dave [1] Obviously you can upload a management program like BindView instead, but this means you have to MANAGE everything, which doesn't scale.
Companies already have to manage everything so they will have to deal with scale either way. Maybe BindView does not scale (I don't know) but there are companies in the world that manage half million or more windows systems centrally, including patching, and they do an extremely good job of it. As you seem passionate on the subject I cannot help but ask, When is Canvas coming out with a feature to automatically push patches for vulnerabilities it uses to own a system and how will you handle zeroday? :-) Signed, Marc Maiffret Founder/CEO Invenio Security Security Services & Training http://www.inveniosecurity.com [1] - That is not to imply that security, but rather intelligence, is an expensive purchase. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Twitter: (verb) to fail under exponential growth Dave Aitel (Jun 29)
- Re: Twitter: (verb) to fail under exponential growth Chris Eng (Jun 29)
- Re: Twitter: (verb) to fail under exponential growth Adrien Krunch Kunysz (Jun 29)
- Re: Twitter: (verb) to fail under exponential growth Marc Maiffret (Jun 30)
- Re: Twitter: (verb) to fail under exponential growth Lance M. Havok (Jun 30)