Re: Custom defense

["Andrew R. Reiter" <arr () watson org>]

On Mon, 23 Aug 2004, Dave Aitel wrote:

:So I think the real market for future security is in custom attacks and
:defenses. This is what I see people starting to work on, although they
:call it by many names (IPS, etc). Custom defenses are also good because
:they are great for monitoring, which is really what IDS was all about in
:the beginning, before they decided that good monitoring required
:thousands of signatures. I alluded to this in my OWASP talk recently,
:but I'm seeing more and more companies take "test driven development" to
:the logical extreme, of figuring out how they can detect attacks at the
:application layer, and building that into their applications from day 1.
:
:Even porting choices are custom attacks: Once Bas Alberts (you can see a
:picture of him on our website, except it doesn't do justice to his
:dimples) finished the PHP limit bug for CANVAS (released last week), we
:then field requests from all our customers to prioritize our porting and
:QA efforts. As much as I hate the "windows of vulnerability" nonsense,
:this does, in fact, affect our 0day as well. We'll assess whatever a
:target is running, and then see how far the bugs we find spread to other
:platforms, versions, or target configurations.
:
:It could be wishful thinking on my part, but I see the industry heading
:in two directions:
:1. Custom attacks and defenses (in a domain specific and application
:specific fashion). I expect this to become part of the default checklist
:for smart enterprises in the near future, although it isn't now except
:for the outliers. I don't mean "database scanners" by this though. I
:mean "special parser for bobsapp log files that runs anomaly detection
:on it"; I think there's a market for pluggable anomaly detection, for
:example.
:2. Boring audits driven by regulation. HIPPA, etc. Application security
:reviews are going to turn into checklists.
:
:What I don't see is pure application reviews and various assessment work
:ever leading to profitability in this market. It's just an impossible
:business model to execute on when playing against a decent competitor.
:For now, people are making money because the pool of people who can do
:this kind of work is tiny and demand is strong. But PaX (in the form of
:PaX and XP SP2) is going to change that. We're going to move towards a
:mindset of complacence. (And, for those of you going on about
:information warfare all the time, a position of complacence is the only
:time a Pearl Harbor can happen. Otherwise it's just a bunch of meatball
:airplanes getting shot out of the air while trying to commit suicide.)


I see your point with regards to "handle the scenario" tactics occuring;
even just look at Copilot[1].  I just wish there was a means to encourage
either software or hardware vendors to truly push out their means of
integrating hardware components that _could_ help in the creation of more
secure system designs.

Sorry for this addition.. probably added nothing.

[1] Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor (see
USENIX Sec '04)


--
Andrew R. Reiter
arr () watson org
arr () FreeBSD org
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave