Dailydave mailing list archives
Re: Custom defense
From: "Andrew R. Reiter" <arr () watson org>
Date: Tue, 24 Aug 2004 11:16:01 -0400 (EDT)
On Mon, 23 Aug 2004, Dave Aitel wrote: :So I think the real market for future security is in custom attacks and :defenses. This is what I see people starting to work on, although they :call it by many names (IPS, etc). Custom defenses are also good because :they are great for monitoring, which is really what IDS was all about in :the beginning, before they decided that good monitoring required :thousands of signatures. I alluded to this in my OWASP talk recently, :but I'm seeing more and more companies take "test driven development" to :the logical extreme, of figuring out how they can detect attacks at the :application layer, and building that into their applications from day 1. : :Even porting choices are custom attacks: Once Bas Alberts (you can see a :picture of him on our website, except it doesn't do justice to his :dimples) finished the PHP limit bug for CANVAS (released last week), we :then field requests from all our customers to prioritize our porting and :QA efforts. As much as I hate the "windows of vulnerability" nonsense, :this does, in fact, affect our 0day as well. We'll assess whatever a :target is running, and then see how far the bugs we find spread to other :platforms, versions, or target configurations. : :It could be wishful thinking on my part, but I see the industry heading :in two directions: :1. Custom attacks and defenses (in a domain specific and application :specific fashion). I expect this to become part of the default checklist :for smart enterprises in the near future, although it isn't now except :for the outliers. I don't mean "database scanners" by this though. I :mean "special parser for bobsapp log files that runs anomaly detection :on it"; I think there's a market for pluggable anomaly detection, for :example. :2. Boring audits driven by regulation. HIPPA, etc. Application security :reviews are going to turn into checklists. : :What I don't see is pure application reviews and various assessment work :ever leading to profitability in this market. It's just an impossible :business model to execute on when playing against a decent competitor. :For now, people are making money because the pool of people who can do :this kind of work is tiny and demand is strong. But PaX (in the form of :PaX and XP SP2) is going to change that. We're going to move towards a :mindset of complacence. (And, for those of you going on about :information warfare all the time, a position of complacence is the only :time a Pearl Harbor can happen. Otherwise it's just a bunch of meatball :airplanes getting shot out of the air while trying to commit suicide.) I see your point with regards to "handle the scenario" tactics occuring; even just look at Copilot[1]. I just wish there was a means to encourage either software or hardware vendors to truly push out their means of integrating hardware components that _could_ help in the creation of more secure system designs. Sorry for this addition.. probably added nothing. [1] Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor (see USENIX Sec '04) -- Andrew R. Reiter arr () watson org arr () FreeBSD org _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Custom defense Dave Aitel (Aug 23)
- Re: Custom defense David Maynor (Aug 23)
- Re: Custom defense Dave Aitel (Aug 23)
- RE: Custom defense Mike Bailey (Aug 23)
- Re: Custom defense Andrew R. Reiter (Aug 24)
- <Possible follow-ups>
- RE: Custom defense Kohlenberg, Toby (Aug 23)
- RE: Custom defense info (Aug 24)
- RE: Custom defense Ron Gula (Aug 24)
- Re: Custom defense David Maynor (Aug 23)