Computerworld - Happy New Year, folks. As usual, the turn of the calendar has brought no shortage of articles predicting the future. That's all well and good, but it's a good idea to also take stock of where we are before we chart our course forward, so we can truly improve things for the future.
You see, one of my pet peeves with our industry is how abysmal we tend to be at learning from our mistakes. Rather than blithely charging forward only to repeat those mistakes, let's study them and learn from them a bit first.
With that, here are a few things (in no particular order) where we are making some really big mistakes. These are, in my view, some of the real fundamental causes of the biggest problems we're dealing with today -- and into the future, no doubt.
We've seen this for years, and yet we keep doing it. In the late 1980s when PC viruses first started popping up on our systems, vendors started providing tools to detect and remove known viruses. Yet, pretty much every technically inclined person at the time acknowledged that these signature-based products were short-term solutions to a bigger problem.
That same mistake was repeated when intrusion-detection systems (IDS) started to become popular in the late 1990s. Indeed, many of today's most prevalent IDS and intrusion-prevention products still rely on static signature databases to detect attacks.
Sure, the products have improved greatly, and the signature engines have gained capabilities like regular expression parsing and scripting to make them more accurate. But the underlying issue remains.
Until we start really pushing for positive validation approaches -- mechanisms that only allow things that are safe and prevent all others -- we're going to continue to be "surprised" by novel attacks. To do positive validation, we need to understand the context of what is going on, which means the solution must reside in (or very close to) our application software.
I know full well this is much easier to say than to achieve, but we have to do much better.
Penetration tests are a vital part of our security arsenal, but relying solely on them to determine whether an application or system is secure is downright negligent.
The reason for this is that penetration testing tools and techniques are all too often simply based on network and application scanning. These are inherently outside → inside approaches that fail to look deeper into the underlying software architecture, design and source code.
Any responsible security testing program must include appropriate design and source code reviews, in addition to other rigorous dynamic testing (e.g., module/API fuzzing). All this, of course, in addition to pen testing.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
