We have been in a world of faith based security for far too long. Probably the biggest factor is a lack of innovation and dynamism in the discipline of information security. Consider this rough timeline of software development progress since the dawn of the web.
People pretty quickly realized that plain HTML was not enough, so developers invented CGI/PERL for more dynamic sites. Once they wanted to scale and pool they built out ASP and JSP, then to deliver middle tier components they developed EJB, J2EE, and DCOM. After that there were a lot of heterogeneous systems that needed to talk to each other so SOAP and XML came along to address that. This path diverged into ultra-simple (REST) and more powerful but baroque (SOA), and finally, the user side got some love with Web 2.0 technologies. That's a heck of a lot of engineering and innovation by the software development community for plus or minus 8 years.
Now lets' check in with the developer's brethren over in information security. Well, once the web came along the information security community quickly realized that network address translation was going to be important, and further that encrypting the communication channel between the browser and the web server was also crucial. And then, they addressed all the security issues ASP, JSP, EJB, J2EE, DCOM, SOAP, XML, REST, SOA, and Web 2.0 with....umm...more of the same!
That's a pretty poor showing for innovation considering the enterprise investment into information security. Sure the software developers' have a bigger budget, but come on infosec - show some pride!
Infosec types like to throw developers under the bus for security issues, but its a collective failure. Sure developers need to learn more about secure coding, but as the table above shows - security is not keeping pace, and the gap is getting bigger.
Here is another dimension to the problem - attackers *do* evolve. The new technologies provide far greater attack surface (data, method and channels) for the attacker's to exploit and/or launch attacks from.
Because the defenses have not evolved its a simple evolutionary adaptation for attackers to go around or through the 1995 defenses. Its not about SOAP going through the firewall, its about never bothering to secure the apps and the data. Its like saying to your opponent, remember the how the Detroit Lions played defense in a certain game in 1995, we were just going to do that.
So with the software developer's latest evolution we get Mr. O'Reilly's famous Web 2.0 meme map
but where is the co-evolution in infosec? there is non. There is co-evolution in the attacker space. here is a sample web 2.0 attacker meme map
So the firewall offers great protection if your adversary is using Visio, but otherwise its mostly useless.
So we would want to see two things happen - developers start writing more high assurance code and second - infosec needs to evolve its security services to form fit to that which they are protecting. Hint - it ain't a Visio diagram.
The thing is - we are getting getter tools. Static analysis is a very powerful tool to improve your software security from a bottom up perspective and it can scale. These tools continue to get better. We are are getting better standards - WS-Security, WS-Trust, and company enable fundamentally new security architectures. And we're getting better primitives, especially in the identity space - SAML, Cardspace, and friends will one day let us live in a world where users are not typing username and password into a web browser to do online banking.
So maybe the innovation tide is turning, but there is a lot of ground to catch up, infosec about a decade behind the developers and probably close to that far behind the attackers. Its going to take something special to catch up, but is there any other way? I think a big part of catching up is putting together a realistic pragmatic blueprint to evolve your security architecture - a roadmap that addresses your people, processes, and technology. There are standards, primitives, and tools to leverage, but by themselves they are just pieces, they have to be brought together into a cohesive design. Its not an overnight thing to realize this, but the point is for infosec to *begin* the evolutionary process. Now. For real use cases. Using the security protocols, mechanisms, and skills we have available now.
The Road goes ever on and on,Down from the door where it began.
Now far ahead the Road has gone,
And I must follow, if I can,
Pursuing it with eager feet,
Until it joins some larger way
Where many paths and errands meet.
And whither then? I cannot say.
-J.R.R. Tolkien,The Hobbit
While I don't disagree with your assertions, I don't know that you're being altogether fair. There has been a constant pace of innovation in security technologies over the past 10 years. However, innovation does not immediately translate to deployment. Just look at how long it's taken businesses to relent and deploy disk encryption. We're seeing the same thing with encryption of certain types of data, too, thanks in part to PCI. Now we'll also begin seeing some improvements in web app security, thanks also to PCI. So, I would put the responsibility, not on the heads of the security industry, but on the companies that still view security tools as frivolous overhead costs that aren't really needed.
Posted by: Ben | May 20, 2008 at 08:44 AM
I think the key problem is that attackers don't have to follow the rules defenders have to. This constrains innovation. It's even worse when defenders have to contend with additional constraints which have no baring on security but panders to the needs and wants of users. It's an arms race, a very unfair one.
Posted by: Marinus van Aswegen | May 21, 2008 at 05:08 AM