« Divide et impera | Main | Manage or be surprised... in a rather unpleasant way »

Maturity adds to security

If you like it here, please consider subscribing to the RSS feed or spreading the news among your friends who also care about security.

I know it’s obvious, but we tend to forget it and happen to expect technology to be secure just like that, from the very moment of its conception in inventor’s mind. The sad reality is that even technologies designed to provide better security happen to be insecure themselves. The trouble is, as it seems, that it’s considerably difficult to see all the possible weaknesses from the very beginning, especially when functionality is a lot more of a concern then the security.

So, just face it — once we develop a brand new technology it nearly always has fundamental flaws (think web scripting and all the SQL injections, XSS (Cross Site Scripting), etc.) It was essentially the same with coding “normal” applications — it’s been full of buffer overruns, integer overflows, format string vulnerabilities, etc. But then, after something like ten years, ideas like sandboxing or managed code caught on and seem to be doing a fairly good job. Interpreted languages with high level of abstraction in managing memory started to become efficient enough to be of any use. Programmers learned how to properly use standard APIs. And finally the trouble with memory management slowly started to be less and less painful.

Adding it to the fact that the new and much easier to exploit vulnerabilities emerged, everybody slowly turn their back to the old good buffer overruns and such. Instead we have XSS, CSRF (Cross Site Request Forgery), SQL Injections and the family.

But what will happen to it in time? Of course, it will slowly become harder to exploit. Smarter web developers already started using robust frameworks reducing the possibility of introducing web-era vulnerabilities into their code. The world slowly learns how to use web IDS/IPS systems. And generally, we get more and more secure every day.

But what will happen next? Some brand new, shiny technology everyone sooo wants to use will pop-up, no doubt about it. And we’ll have the same trouble again. Unless of course the security gets designed into the technology from the very beginning (not likely to happen, unfortunately) or unless we let it mature before running an internet banking site on it. It won’t be cutting edge then anymore — true, but isn’t it better that someone else flies the plane the first time?

So, here is the trade-off — you either wait for enough people to get burnt while trying out the new toy before you put your hands on it, or you are the one that others watch getting burnt. It’s always like that, I’m afraid. And I think the best advice here is to know how much you are risking before you decide either way.

Posted by Michał Sobiegraj on June 23, 2007 1:40 AM | | Digg It

TrackBack

TrackBack URL for this entry:
http://sobiegraj.com/blog/mt-tb.cgi/34

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

© 2006-2007 Michał Sobiegraj. All rights reserved. The views expressed here are my own, and not necessarily endorsed by any former or current employer.

Search


About

This page contains a single entry from the blog posted on June 23, 2007 1:40 AM.

The previous post in this blog was Divide et impera.

The next post in this blog is Manage or be surprised... in a rather unpleasant way.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.34