As Gary McGraw mentions in his [In]Security column this month, the continuing flow of news about sophisticated, international cybercrime—so prominent in the media recently—might finally have gotten to us. In a good way. A lot of words have been squandered in proclaiming the death of antivirus scanning, the collapse of the endpoint, and the inability of traditional intrusion detection systems to serve any good purpose against advanced threats; and yet, we have seen no paradigm shift in the trenches where it counts.
McGraw’s primary solution, one that I’ve always been inclined to favor, lies in developing more security capable software. I don’t know that game changing shifts in the resilience of software should be expected anytime in the near future though. Our education columnists Doug Jacobson and Julie Rursch note that college classes in software development generally give security issues a cold shoulder, saying that “…In our software classes, we focus on getting students to program and to learn the aspects of the language. Seldom do we ask them to consider security and, rarely, are their programs graded on it.”
Still, while we may not get the next generation of programmers trained for security, we still generally concede that the old approaches won’t get the job done either. I can’t help but recall that our recent reader survey found that one in five of enterprise respondents indicated that within five years, they’d no longer be committed to using static signature scanning. There was similar chatter in the halls at the recent RSA conference in San Francisco: scanning doesn’t cut it. I don’t know anyone who’s actually jettisoned endpoint scanning, but it does feel to me as if practitioners have at least moved to a point where they’re willing to concede that just throwing more antivirus software onto the desktop is not going to stop anything other than the most basic of attacks.
Guest columnist David Sherry, at least, believes that the role of the CISO is changing to recognize the new degree of risk within the enterprise. Sherry notes, and I think many observers would agree that there is a new level of maturity in both the security industry and the CISO function. Does that maturity mean our organizations will take a rational view of what defenses were in place should a breach occur, or is the guy who’s gutsy enough to stop wasting time on scanning software likely to wind up looking for a new career when an intrusion is discovered?
So what changes in security technology or approach could actually make a difference? In addition to better software coding, one potential game changer in security is a renewed attention to identity management. Peter Gregory notes, “...organizations in this situation are not in control of their asset management policies.” What isn’t necessarily a revolution in security, on the other hand, is the rollout of IPv6. It doesn’t really bring new capabilities, Fernando Gont argues, “There are no security features in IPv6 that were not readily available for IPv4.”
Finally, in a nod to the ongoing changing of the sophistication of attacks, this issue offers a look at the current state of botnets. I mention this piece partly because of its author, our newly arrived features writer and editor Kathleen Richards. She’s hit the ground running and her handiwork is embedded throughout this month’s issue. I’ll let the article speak for itself, but for the moment let it suffice to say that there’s a lot going on with botnets.
Oh, and we’re not going to stop botnets with static virus scanners. It’s really time to stop just saying this sort of thing and actually, start acting like we know it’s true.
- State of Software Security Developer Guide –Veracode, Inc.
- The State of Software Security: Developer Guide –Veracode, Inc.
- Secure Software Development in the Financial Services Industry –GitHub
- Security at the Speed of Software Development –WhiteSource