This article can also be found in the Premium Editorial Download "Information Security magazine: Does security make the grade in Windows Server 2008?."
Download it now to read this article plus other related content.
Encryption cannot patch the holes created by insecure software.
If anything, SSL is too well implemented, and people think it covers all their needs, like a giant security blanket. They forget there is much more to security than just using SSL.
Gene Spafford famously once said, "Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit card information from someone living in a cardboard box to someone living on a park bench." He's still right today.
Although operating systems are more secure than they were 10 years ago, and we are much better at patching them, that isn't sufficient. Dan Geer recently released an extensive paper on trends in the information security industry. Using data from the National Vulnerability Database, he quantitatively showed what we already had intuited: Attackers have moved to targeting applications with great
| success, exploiting cross-site scripting and SQL injection vulnerabilities by the boatload.
Despite what we know and what industry leaders like Microsoft and Oracle have done to make their products more secure, the software industry just doesn't seem to get it. While some Web-based applications display badges from services like Hacker Safe, which actually test for vulnerabilities, these sites are few.
This was first published in February 2008