Security vendor, protect thyself

Free Newsletters

Log-in | Register

SECURITY ADVISER

Security vendor, protect thyself When shoddy default security settings leave customers vulnerable, everyone loses
By Roger A. Grimes August 26, 2005			E-mail Printer Friendly Reprints Slashdot It!

A subtle trend has been emerging over the last few years and it doesn’t appear to be abating: The number of insecure computer security products is growing. The very products designed to protect us are often the ones introducing the vulnerabilities.

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Microsoft

These are products with weak configuration protection, easy-to-exploit denial-of-service attacks, and easy security bypasses. I’m talking firewalls with old Web server code and exploitable management interfaces, anti-virus products with buffer overflows, gateway products susceptible to DNS cache poisoning, and in-line filtering software vulnerable to script injection.

Although most of the products I review are commercial products, open source products are just as vulnerable. For example, Ethereal, my favorite sniffer, seems to be caught in a beyond-ridiculous cycle of exploitable packet dissectors. It’s almost becoming the rare security software product that doesn’t end up having to be patched once or twice a year.

Even security appliances are taking a beating. Many are running an outdated Linux or BSD kernel, with no easy way to update. Some vendors will tell you updating the kernel will void the warranty. Almost all come with one or more undocumented listening ports that an intruder can probe.

Many security appliances don’t require secure VPNs between the management client and the server. I’ve seen many a vendor’s VPN tunnels that rely on HTTPS, SSL, or SSH not work -- even though it appeared to be doing so.

This is a travesty. Isn’t anyone testing these features before they ship? Shouldn’t security vendors ship their products with the latest patched stuff? Shouldn’t the products contain some sort of auto-update routine? Maybe the product shouldn’t automatically apply the patch, but there should be some sort of mechanism with which one can automatically search for and download the latest patches, then notify the administrator to apply them.

Customers want to believe that our security product vendors are doing a better job at secure coding than nonsecurity product vendors. Certainly, it isn’t an abnormal expectation. The truth is that security vendor programmers are just as overworked as any programmers in any company. Oftentimes, like their counterparts, they haven’t received specific training in writing secure code or using secure coding practices.

While I was teaching advanced computer security classes at a very well known security vendor, one of their products was found to have a remotely exploitable buffer overflow affecting thousands of customers.

The vendor first learned about the exploit on a zero-day public mailing list. The guy in charge of researching the product and fixing the flaw was in my class. He had been waiting for years to take this particular class and refused to leave. What should have taken on a crisis-mode level of criticality and have been solved ASAP took over a week to resolve, and I’m fairly confident that thorough regression testing was not involved.

Customers might have assumed that a moderate-size team of programmers would be assigned to solve this problem and it would be priority No. 1. In reality, it was one guy, part-time, trying desperately to recreate and solve the problem using VMware on his laptop, all the while not missing a single class slide.

This isn’t a pretty story, but it’s probably not unique in the computer security field.

The problem of insecure computer security products is becoming so bad that malicious hackers are now targeting organizations with particular computer security products. If hackers can identify the defense tool, they can then sit back until the latest related exploit is announced and use the public exploit code (which almost always follows the announcement these days) to compromise the organization’s security defense. The hacker need only be quicker at using the exploit than the customer is at patching.

Personally, I'm getting fed up with the status quo. Here’s my open letter to computer security vendors with poor security practices:

To Whom It May Concern,
We are entrusting our enterprise security to your product. We expect our purchasing dollars to decrease our risk of malicious exploitation. As you are developing your super-duper product, take a step back and make sure secure coding is integrated into your products.

Make it easy to keep updated. Make sure your products don’t contain buffer overflows and dated programs. Include some form of auto-patching that customers can configure and manage. Deliver products that are secure by default. In short, do your job.

I’m sure the company is staffed by lots of people I’d like to have a beer with, and all of them are already overworked. But when your products become the most insecure piece of my environment and you don’t make it easy for me to stay on top of the security defense curve, I have a problem. And I’ll let my IT dollars vote for my company’s security.

E-mail

Printer Friendly

Reprints

Slashdot It!


	InfoWorld Test Center Contributing Editor Roger A. Grimes is a Foundstone Ultimate Hacking instructor/consultant teaching Windows, Linux, Unix, and Solaris security. • More of Roger A. Grimes' column Newsletter Check out all of our free newsletters! Enter e-mail address:

TOP NEWS:

» Troubleshooting tool for Java offered
Sun's Java VisualVM open-source technology views apps while they run on a JVM and is billed as all-in-one solution

» Python backing eyed for NetBeans
Scripting language capabilities of the open-source IDE continue to expand

» Microsoft sets Windows XP SP3 automatic download for Thursday
The latest service pack for Windows XP will be pushed to Automatic Update at 7a.m. EDT on July 10

» Real Software, Veryant bolster dev tools
RealBasic, Cobol apps platforms get improvements

» Microsoft sets hosted-services pricing, irks partners
By offering 38 percent discount to customers who buy entire hosted business productivity suite, Microsoft undercuts partners selling similar services

» Adobe readying new mashup tool for business users
Mashup interface code-named 'Genesis' will open up desktop 'workspace' combining business application data, documents, analytics, and instant messaging

Remote Access: Maintain Security and Decrease the Burden on IT
Join this interactive webcast to discover how IT Managers can control access rights, end-user security settings and end-point authorization. Sponsor: Citrix(R) GoToMyPC(R) Corporate

» Click here to view this Webcast

Zombie PCs Are Attacking Your LAN
A recent study showed that malware-infected zombie PCs are now a bigger threat to ISPs and Web infrastructure than DoS attacks. As this brand new IT Strategy Guide explains, an increased use of peer-to-peer techniques by the attackers has made it harder to fight back. Download now, compliments of Verio:

» Click here to download now

- Special Advertising Partners -

WHITE PAPERS

Help Simplify Virtualization - One common challenge IT organizations face is server sprawl, which can require large amounts of facilities and support resources...
Solution for Open Virtualization Provides Server Consolidation - Using virtualization to decrease the number of servers presents cost savings opportunities. Organizations that want to take...
A Guide to Rich Internet Application (RIA) Security - Read about Forrester's findings on RIA security included in a Forrester Research paper valued at $775 titled "Securing Rich...
Disaster Recovery in Minutes - This paper describes a complete disk-based system recovery solution for Microsoft Windows based servers, desktops, and laptops...
Protecting Microsoft(R) Applications - Microsoft Exchange, SQL, Active Directory, and SharePoint have quickly risen to mission-critical status in many companies...
Reduce Recovery Times and Tape Costs - Today's enterprises face a data protection challenge: how to optimize the backup and recovery of business-critical data ...

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert

Find out when the latest white paper is available:

INFOWORLD MARKETPLACE

Deliver REMOTE SUPPORT Easily. Try WebEx FREE! - DOWNLOAD WEBEX SUPPORT CENTER FREE! Deliver efficient, effective support. CRUSH SUPPORT LOG JAMS!
Migrating to an IP-VPN? XO Can Make It Happen - Learn the five critical success factors with a free whitepaper from XO Enterprise Solutions.
Sign up to TRY WEBEX SUPPORT CENTER FOR FREE! - Get your FULL FEATURED trial here. Share documents and applications, address support challenges.
IP Networks Boost Secure Health Communications - AT&T provides secure communication to keep health care moving forward.
Why a CMDB? - IT best practices (ITIL) have shown the benefits of a CMDB. Click for whitepapers.

» BUY A LINK NOW

FIND PRODUCTS AND COMPANIES

» COMPLETE PRODUCT GUIDE

TECHNOLOGY INDEX

• Applications
• Application Development
• Security
• Networking
• Wireless
• Platforms
• Hardware
• Data Management
• Storage
• Web Services
• Business
• Telecom
• Professional Services
• Standards

TECH WATCH

What's the 411 on GOOG-411?
Just as Google has become synonymous with "performing a Web search," 411 is understood to mean "information" -- as in "what's the 411?" I was thus surprised to discover, from a billboard, no less, that the king of search is taking on the ...

Apple HTML source reveals 'iPhone Extreme'
"This one's a stretch..." reports AppleInsider. Um, yeah. Reporting on HTML code sightings of product names could be called a stretch, but iPhone Extreme has a ring to it. Now, that sounds like the product Apple should have released first, rather ...

COLUMNISTS

Unified under law

(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...

» MORE COLUMNISTS

MORE INFOWORLD BLOGS

Open Sources

Product Management
When I joined MySQL four years ago, there was quite a lot of debate about product management. We didn't actually have ...

Zero Day

Botnet herders tending smaller flocks
New research backs up the theory that botnet operators are keeping their networks smaller in a continued effort to keep ...

• Advice Line
• Database Underground
• The Deep End
• Enterprise Mac
• Geeks in Paradise
• Grid Meter
• The Gripe Line
• InfoWorld Daily
• Inside IT
• IT Troubleshooter
• ITXtreme
• Open Sources
• ProdBlog
• Real World SOA
• Reality Check
• Security Adviser
• SMB IT
• The Storage Network
• Tech Watch
• Virtualization Report
• Zero Day

RESOURCE CENTER	advertisement
Ads by techwords beta See your link here

GOVERNMENT IT & POLICY
•	'If you don't go after the network, you're never going to stop these guys. Never.'
•	From the State Department, All the News for Inquiring Minds
•	TechPresident, the Internet Citizenry's New Consensus Taker

Sponsored Technology Links
CA - Efficient - Flexible - Compliant PGP - Is Your Data Safe? Novell, IBM, and Intel - Solution for Open Virtualization Provides Server Consolidation Curl - IT Guide: Rich Internet Application (RIA) Security HP/Intel - If you don't have enough I/O, your VMs aren't going to go. Symantec - Whitepaper: Secure, recover, and archive critical information Microsoft - {Open Source} Heroes Happen Here Symantec - Whitepaper: Protecting Microsoft(R) Applications Riverbed - Five Ugly Truths about WAFS and Caching InterSystems - Use Ensemble - quickly create composite applications. AT&T - Factors to consider when comparing DSL or Cable Cirba - Advanced Workload Analysis Techniques Rackspace - Go Green Without Sacrificing Server Performance CA - Manage your IT more effectively. AT&T - Measuring mobile productivity AT&T - Thinking about IMS CA - Plan IT better, Manage IT better. AT&T - Refine your company's plan for a Business Disruption Event AT&T - Going mobile with today's technology Cirba - Consolidating Workloads onto Mainframes AT&T - What to expect from a Technology Assessment.		AT&T - Class of Service: Myths and Misconceptions AT&T - Enhancing security through Quantum Cryptography Riverbed - Wide Area Data Services Microsoft - Microsoft Forefront makes defending your systems easier. Learn how. HP - Explore the interactive whitepaper: Rightsizing Blades for the mid-market. Symantec - Webcast: Beyond AntiVirus AMD - Renowned Engineering Institution Chooses AMD Processor-Based Servers AMD - Watch this flash demo of the Quad-Core AMD Opteron Processor EMC - EMC and VMware help you build your virtualized infrastructure. AMD - HP and Oracle deploy unbreakable computing infrastructure Qwest - Learn how Qwest voice and data solutions can save you time. MKS - The Power of UNIX/Linux on Windows with MKS Toolkit Vision Solutions - Is your smaller organization ready for High Availability? Vision Solutions - Is system maintenance doing more harm than good? HP - NEW HP LaserJet P4014n printer Starting at $699 after $100 IS. HP - HP LaserJet M3035 MFP series Starting at $1,599. SHOP NOW HP - Speed, agility, flexibility - The HP BladeSystem c-Class. Vkernel - Resolve Capacity Bottlenecks and Enhance Your Virtual Environment Nokia - Restore Your Mobile Devices With One Click Oracle - The Power of Two with SOA and BPM

	HOME NEWS BLOGS PODCASTS VIDEOS TECHNOLOGIES TEST CENTER EVENTS CAREERS	About \| Advertise \| Awards \| RSS \| Contact Us
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy, Terms of Service. All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services. CIO :: ComputerWorld :: CSO :: Demo :: GamePro :: Games.net :: IDG Connect :: IDG World Expo Industry Standard :: IT World :: JavaWorld :: LinuxWorld :: MacUser :: Macworld :: Network World :: PC World :: Playlist