Vuln research credit / security tipping point

Date November 16, 2008

Two great posts from the Veracode blog I have to point out if you haven’t read them already

The first one, Credit for Researchers, I think is very important.  From my academic days, referencing previous work was de-rigeur and you just weren’t taken seriously if you published or spoke without noting the people that laid the ground before you, and other views/options on the subject – basically not referencing was a way of admitting that you hadn’t looked at what came before, or other ongoing work in the area, which was "bad" (ignorant to be more precise). 

There’s lots of security research going on out there – independent or part of an organization – and from what I’ve been seeing for the past few years, very few of it is totally original.  That’s not saying that this is not ok, as it’s to be expected (encouraged in fact), but I’m seeing very few people reference previous work as part of a disclosure.  This means that either a) these people are forgetting to reference previous work, b) they are not referencing on purpose (as it makes their work look more "original"), or c) there’s a lot of "independent re-discovery" going on.

I’m not sure which it is, but there’s issues in all three.  Re-discovery is a problem because that means that we aren’t learning from previous knowledge.  Not referencing when you know of other work is academically dishonest.  "Forgetting" (or not being aware of other work) is ignorant and only focusing on a small part of the problem (edit to add: perhaps you did find a "unique" vuln/issue – congrats, give yourself a pat on the back, note how unique your finding is, and now go back and reference places where it should have been looked-at/discovered/thought-about, and perhaps why not).  I call, as does Chris in the Veracode blog post, is for us to get a bit more academic in the way we approach security research.  If not, we’ll be doomed to this never ending hamster wheel of pain feedback loop, making the same mistakes / finding the same issues / never addressing the "real" issues.

The other post (also from Chris Wysopal, also from the Veracode blog) is one saying we’ve reached the application security tipping point.  I actually think we reached that tipping point some time ago (2 years?) where less and less vulns were being discovered in OS and large vendors, but increasingly in software from thousands of smaller software vendors. 

I’ve spoken to a few people about this, and I don’t think that the overall security future looks all that rosy.  Microsoft are spending a lot of effort on security, and it seems to be paying off (or not).  When MSFT manages to lock down their software so that the effort in finding vulns is not worth the payoff (mitigating controls, defense in depth, quick discovery/response/resolution, etc), where is the attention going to go?  People I’ve talked to at MSFT say that their job isn’t over by a long-shot; they are very much interested in the full ecosystem so helping users create secure products is also in scope, but once again, where do the hackers go? 

They don’t just go away, they go to the next level of lowest hanging fruit.  It might be other vendors (Apple, Adobe, Google for example) which may not have the focus that Microsoft has been forced to have, or even worse, smaller players like custom websites or things like Wordpress, Movable Type, phpbb, vbulletin, etc – software that has a huge install base, but perhaps not the resources to deal with a full-frontal attack.

In any case, unless lots more people take these issues seriously (and to their credit, many are), I don’t necessarily like the way this could be heading.  Rather than having a few "threat sinks", we could end up with many, and down the path of very custom attacks that are incredibly hard to detect and protect against.  It’s certainly in progress in the cybercrime community (see Iftach "Ian" Amit’s BlueHat talk if/when it becomes available) and could only be a matter of time before it’s widespread. 

Think of it security’s own Hydra – cut of one head (vulns in a major vendor), two grow back (vulns in smaller vendors), and that’s a worrying proposition.

Category Posted in Musings, Security

One Response to “Vuln research credit / security tipping point”

  1. November 17th, 2008 at 4:15 pm

    Common Applications Are Now The Weakest Link | securosis.com said:

    [...] Mike Andrews also nails it: [...]


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>