Nonsense Abounds, and More is Coming...

Thursday, July 05, 2012

Jack Daniel

B8db824b8b275afb1f4160f03cd3f733

I can’t even think about reading coverage of the Amazon Web Services outage, the hype and stupidity is already overwhelming.

The cloud has failed us again!

Yes, and we have failed it again, too- as we have pretty much every preceding technology.  If I understand it correctly, the “logic” is that those who put all of their cloud services in a single zone with a single provider, a zone/provider combo with a few scars in its history at that, are somehow the victims of a failure they should have anticipated and mitigated.  Fine, everyone’s a victim, whatever.  I propose the following slogan for AWS:

AWS, we’re cheap and so are you. Do it right or STFU

But let’s not dwell on that, recently there have been a couple of other rant-worth stories.  We can ease into full blown rant mode with this one:

“99% of attacks could be stopped by patching...”

At least according to the above article in Infosecurity Magazine.  There is a huge and flawed leap required to get to this utter nonsense, and it needs to be beaten down, and hard.  The article says Microsoft’s chief UK security advisor Stuart Aston:

“pointed out that less than 1% of attacks are based on zero-day exploits...”

And I’ll buy that, but I would obviously like an actual reference, and you know, some of that “DATA” stuff to back up that claim.  Then it gets interesting, with an epic leap of logical fallacy leading to…

“The implication is clear: 99% of attacks could be stopped by anti-malware and up-to-date, fully-patched, software.”

No, it cannot. That is so very wrong, on multiple levels. First and foremost, you cannot “stop attacks”, you can only stop or alter the consequences of the attacks. You can stop attacks from succeeding (sometimes), and minimize the impact on your organization, but the attacks will come no matter what you do. 

And no, it is not pedantic to get wound up over using the wrong terminology in a trade publication.  Get it right.  Further, the idea that “attacks” only fall into two categories, zero-day and patchable, is more nonsense. No, patching and anti-malware will not fix logic flaws, authentication failures, misconfiguration, or a myriad of other problems.  Nonsense and drivel, stop it.

But that is really only a minor annoyance compared to the rage-inducing drivel which recently  came from Ramon Krikken, a research vice president at Gartner.

As referenced in this Search Security article, Mr. Krikken said some logical things, such as there is a clear disconnect between security and application development, and that developers are going to do what they are measured on- which is generate code, not necessarily generate secure code.

There are some other viable references and observations in there, but they madness comes from his view of Web App Firewalls and other bolt-ons:

“The application security challenge has become so difficult to address through development, Krikken said, that he instead encouraged enterprises to consider an alternative strategy that relies less on developers and more on integrating defensive technologies – like Web app firewalls (WAFs), database audit and protection (DAP) products and XML gateways – into the enterprise application architecture.”

Secure coding is so hard that we need to rely on WAFs and other bolt-ons to protect us?  But WAFs are software, and by definition must include web applications, and as we know web software has vulnerabilities, so do I need to put another WAF in front of my WAF to protect it?  How far does that go? 

We have seen vulnerabilities in WAFs, and we will see more.  Also, WAFs are far from perfect, they can do nothing about most complex bugs, and can rarely handle logic flaws, so we’re just throwing another layer of complexity in the stack to add security?  Bolt-on security doesn’t have a great track record.

There is a place for WAFs, in my mind they can perform two functions very well: filter out basic internet crap, and when properly tuned (generally with custom rules) they can provide defense against known weaknesses in web applications until the code can be fixed.

WAFs are frequently bypassed, and are generally difficult to properly tune; this nonsense from Mr. Krikken has damaged application security.  He may have said mitigating things, but the takeaway is “I don’t need secure code, because that’s hard, I just need a WAF”.  And that is dangerously wrong.

If I were a cynical person, I might think Mr. Krikken has made his living in the “advising people who sell bandages to trauma patients” world of information security too long to be taken seriously.  Glad I’m not like that.

Full disclosure/reminder bits: I work in vendorland, and have for the past several years- and these vendors use analysts to help focus products and messages.  Hopefully it is obvious that I have not fallen completely under the spell of industry analysts.  (With at least one notable exception).

Cross-posted from Uncommon Sense Security

Possibly Related Articles:
8153
Network->General
Information Security
Cloud Security Application Security Vulnerabilities Amazon Managed Services Secure Coding vendors WAF
Post Rating I Like this!
Default-avatar
Sal Tuzzo Thanks JD for the directness and discipline. I agree with your attitude and your analysis. It does not take a rocket scientist to see this.
The sad part is the people making these ridiculous statements either really believe them or they are practicing Public-Con-101 for something else. Most likely the bottom line revenue if they can make people believe what they are saying.

Fact: If someone wants your server data they will get it; Even if they have to break in physically and take the storage media or the hole server.

1341602919
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.