The fallacy of security is that simplicity or availability of the solution has anything to do with time to resolution
The announcement of the discovery of a way in which an old vulnerability might be exploited gained a lot of attention because of the potential impact on Web 2.0 and social networking sites that rely upon OAuth and OpenId, both of which use affected libraries. What was more interesting to me, however, was the admission by developers that the “fix” for this vulnerability would take only “six lines of code”, essentially implying a “quick fix.”
For most of the libraries affected, the fix is simple: Program the system to take the same amount of time to return both correct and incorrect passwords. This can be done in about six lines of code, Lawson said.
It sounds simple enough. Six lines of code.
If you’re wondering (and I know you are) why it is that I’m stuck on “six lines of code” it’s because I think this perfectly sums up the problem with application security today. After all, it’s just six lines of code, right? Shouldn’t take too long to implement, and even with testing and deployment it couldn’t possibly take more than a few hours, right?
Try thirty eight days, on average. That’d be 6.3 days per lines of code, in case you were wondering.
SIMPLICITY OF THE SOLUTION DOES NOT IMPLY RAPID RESOLUTION
Turns out that responsiveness of third-party vendors isn’t all that important, either.
But a new policy announced on Wednesday by TippingPoint, which runs the Zero Day Initiative, is expected to change this situation and push software vendors to move more quickly in fixing the flaws.
Vendors will now have six months to fix vulnerabilities, after which time the Zero Day Initiative will release limited details on the vulnerability, along with mitigation information so organizations and consumers who are at risk from the hole can protect themselves.
-- Forcing vendors to fix bugs under deadline, C|Net News, August 2010
To which I say, six lines of code, six months. Six of one, half-a-dozen of the other. Neither is necessarily all that pertinent to whether or not the fix actually gets implemented. Really. Let’s examine reality for a moment, shall we?
The least amount of time taken by enterprises to address a vulnerability is 38 days, according to WhiteHat Security’s 9th Website Security Statistic Report.
Only one of the eight reasons cited by organizations in the report for not resolving a vulnerability is external to the organization: affected code is owned by an unresponsive third-party vendor. The others are all internal, revolving around budget, skills, prioritization, or simply that risk of exploitation is acceptable. Particularly of note is that in some cases, the “fix” for the vulnerability conflicts with a business use case. Guess who wins in that argument?
What WhiteHat’s research shows, and what most people who’ve been inside the enterprise know, is that there are a lot of reasons why vulnerabilities aren’t patched or fixed. We can say it’s only six lines of code and yes, it’s pretty easy, but that doesn’t take into consideration all the other factors that go into deciding when, if ever, to resolve the vulnerability. Consider that one of the reasons cited for security features of underlying frameworks being disabled in WhiteHat’s report is that it breaks functionality. That means that securing one application necessarily breaks all others. Sometimes it’s not that the development folks don’t care, it’s just that their hands are essentially tied, too. They can’t fix it, because that breaks critical business functions that impact directly the bottom line, and not in a good way.
For information security professionals this must certainly appear to be little more than gambling; a game which the security team is almost certain to lose if/when the vulnerability is actually exploited. But the truth is that information security doesn’t get to set business and development priorities, unfortunately, but yet they’re the ones responsible.
All the accountability and none of the authority. It’s no wonder these folks are high-strung.
INFOSEC NEEDS THEIR OWN INFRASTRUCTURE TOOLBOX
This is one of the places that a well-rounded security toolbox can provide security teams some control over their own destiny, and some of the peace of mind needed for them to get some well-deserved sleep.
If the development team can’t/won’t address a vulnerability, then perhaps it’s time to explore other options. IPS solutions with an automatically updated signature database for those vulnerabilities that can be identified by a signature can block known vulnerabilities. For exploits that may be too variable or subtle, a web application firewall or application delivery controller enabled with network-side scripting can provide the means by which the infosec professional can write their own “six lines of code” and at least stop-gap the risk of actively being exploited.
Infosec also needs visibility into the effectiveness of their mitigating solutions. If a solution involves a web application firewall, then that web application firewall ought to provide an accurate report on the number of exploits, attacks, or even probing attempts it stopped. There’s no way for an application to report that data easily – infosec and operators end up combing through log files or investing in event correlation solutions to try and figure out what should be a standard option. Infosec needs to make sure it can report on the amount of risk mitigated in the course of a month, or a quarter, or a year. Being able to quantify in terms of hard dollars provides management and the rest of the organization (particularly the business) what they consider real “proof” of value of not just infosec but the solutions in which it invests to protect data and applications and business concerns.
Every other group in IT has, in some way, embraced the notion of “agile” as an overarching theme. Infosec needs to embrace agile as not only an overarching theme but as a methodology in addressing vulnerabilities. Because the “fix” may be a simple “six lines of code”, but who implements that code and where is less important than when. An iterative approach that initially focuses on treating the symptoms (stop the bleeding now) and then more carefully considers long-term treatment of the disease (let’s fix the cause) may result in a better overall security posture for the organization.
About Lori MacVittie
Lori MacVittie is a subject matter expert on cloud computing, cloud and application security, and application delivery responsible for education and evangelism across F5’s entire portfolio. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University, and is an O’Reilly author.
There were some interesting developments with regard to crypto and TLS this year at the BlackHat security conference. This first article is about the BREACH attack, CVE-2013-3587. For background, take a look at my earlier article that talks about TLS encryption algorithms.
BREACH is a refinement of the CRIME and TIME attacks. This attack takes advantage of the side channel information leak caused by compression. In the earlier CRIME attack, the attacker had to use TLS compression, but ...
F5 has used the Linux standard MD5 hashed passwords since the introduction of V9. These passwords are resistant to rainbow tables, but not completely immune. Recently, BIG-IP 11.4 was enhanced to hash local passwords with the salted SHA512 algorithm rather than MD5. These hashes start with $6$<salt>$<hash> and are considered much more resistant to rainbow table attacks. F5 is always looking for ways to make our platform more secure.
Is your house vulnerable? Imagine coming home, disarming the alarm system, unlocking your doors and walking into a ransacked dwelling. There are no broken windows, no forced entry, no compromised doggie doors and really no indication that an intruder had entered. Welcome to your connected home. I stop short of calling it a 'smart' home since it's not yet intelligent enough to keep the bad guys out. From smartphone controlled front door locks to electrica...
There are currently no comments yet, be the first to post one.
Only registered users may post comments.