Re: Twitter: (verb) to fail under exponential growth

["Marc Maiffret" <mmaiffret () inveniosecurity com>]

> -----Original Message-----
> From: Dave Aitel
> Talking with my British friends lately they're all quite obsessed with
> trash. For good reason, I assume, since they now have strict recycling
<snip>

I am not sure what unsustainable growth in human garbage or number of virus
signatures, really has to do with security tools not taking the extra step
in automation. Vulnerability Assessment, and Code Bugs do not create an
exponential amount of findings but rather a steady stream, mileage may vary.
Some could argue they are exponential in their databases of things to scan
for but that is not true with code bugs and in the case of VA typically
there is a lot of superseded patches where you are looking for the latest
rollup rather than the 100 bugs that led up to it. But I'm digressing...

> I've always wondered about the rest of our technology that fails in a
> similar way. Why do our application assessment tools not also fix the
> bugs they find? If you're trying to buy web application scanning, then
> your scanner should also be updating the application to fix those pesky
> SQL Injection bugs. Your binary/source analysis tool should be svn
> commiting patches to fix your overflows. If you have to rely on a
> developer to understand the bugs themselves, it doesn't scale. Your
> network attack tool should upload and run the right patch
> automatically.[1] Does the modern generation of scanners do this?

Automation can be a great thing or it can be a bane. To many times these
days technology caters to laziness or as Band-Aids to human stupidity like
the difference between side airbags and cars that can parallel park
themselves.

Coding mistakes are a human problem, not a technology one. You very well
could create an asp source code scanner that not only fixes but patches
vulnerabilities but most likely the humans that write that program will fail
at thinking about all of the nuances in coding and build processes across
organizations and therefore completely f-things up in the process of
automation. And at that point we would probably have forgot why we wanted to
automate this in the first place. Because we have tools that can already
pinpoint code problems but companies are too lazy to care to get them fixed.
For smaller companies they just simply have no idea what any of us are
currently talking about and probably outsourced their website to someone
equally as clueless and none of these people are making enough money to
afford to build things the right way[1]. Which is why Google Apps and
Microsoft Live is doing it all for them. They can afford to do it securely
and hopefully care enough to. For large companies though it would simply
cost them more time/money to try to use automated code fixing tools than
tools that detect potential problems that are reviewed by educated
developers. And I can hear it now, "developers don't know anything!" and I
completely agree but that is the root of the problem and where the money
should be spent more than anywhere else.

The complexity in security is not from any complexity in technology but the
complexity in motivating people to truly care about security and act
accordingly. Non-accidental Murder by Technology will help speed peoples
thinking along.
 
> - -dave
> [1] Obviously you can upload a management program like BindView
> instead,
> but this means you have to MANAGE everything, which doesn't scale.

Companies already have to manage everything so they will have to deal with
scale either way. Maybe BindView does not scale (I don't know) but there are
companies in the world that manage half million or more windows systems
centrally, including patching, and they do an extremely good job of it. 

As you seem passionate on the subject I cannot help but ask, When is Canvas
coming out with a feature to automatically push patches for vulnerabilities
it uses to own a system and how will you handle zeroday? :-)

Signed,
Marc Maiffret
Founder/CEO
Invenio Security
Security Services & Training
http://www.inveniosecurity.com

[1] - That is not to imply that security, but rather intelligence, is an
expensive purchase.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave