|
This year, security pros will finally get in the groove and refocus on security's primary task: Keeping corporate data safe. Easier said than done as insecure, albeit innovative, SOAs and Web 2.0 technologies take off like rockets in the enterprise, chased by incredibly motivated attackers. Beating developers and app vendors over the head while demanding impenetrable code may be cathartic, but it will get you nowhere. Instead of pointing fingers, look to innovative XML and SOA security appliances. Protecting endpoints will get easier as well, thanks to developments in active protection and scanning tools.
As for compliance, can we have some sanity? Rather than fighting the inevitable, embrace the spirit by reconciling internal and external security policies and postures, and welcome external auditing--face it, it's a good and underutilized practice. Yes, you'll still hear way too many product pitches that promise magic bullets. No, there isn't one, but vendors have made strides. Database protection is finally mainstream, for example. Now, you need to figure out where sensitive data resides on your network. The same is true of applications: Knowing what Web servers have been thrown up outside of IT and what data they're offering--and to whom--is a big job. Ensuring that those applications are locked down is an even larger task.
Then there's the people factor. On the end-user front, we're hoping IdM (identity management) can save us from ourselves. We've slowly but surely built silos of group-based policies and autoprovisioning, and now we have too many groups to manage effectively. Of course, the alternative--managing individuals--is simply untenable.
Finally, everyone needs a good guard dog. NBAD (network behavior anomaly detection) systems have filled that bill so well that their functionality is getting sucked into other product areas.
Thanks For The Memory Overflow
Insecure code is a problem that's been amplified by reuse of SOA Web services and Web 2.0 technologies--let's face it, SOA continues to garner mindshare, and the Ajax bug has bitten developers with a vengeance. But simply demanding more secure applications isn't the answer; most developers lack the formal training to improve coding security, and the sheer determination of attackers is frightening to behold.
Later this year we'll review the latest crop of code scanners to see whether they're effective safeguards, or simply provide a false sense of security. For now, your best bet is endpoint protection products that detect and block suspicious runtime activity. It's very difficult to write code to defend against buffer overflows, for example, but developing driver-level systems that watch buffers like hawks and stop overflows is relatively easy. Vendors such as Privacyware, Sana Security and V.i. Laboratories are leading this charge, but McAfee and other antivirus vendors are right there in the thick of it.
Watch for this memory protection technology to find its way into mainstream desktop security products through antivirus and HIPS vendors; the functionality will also be in standalone packages. By year's end, all your nodes should be guarded by tools that protect APIs, watch for buffer overflows and control automated application modification of certain parts of the system registry.
Meanwhile, as traditional SOA security vendors, such as Forum Systems, IBM-DataPower and Reactivity, were off selling broad packages to the enterprise, newcomer Layer 7 Technologies not only invaded their turf, it picked up the Ajax security ball and ran with it. Layer 7 provides Web 2.0-specific security features, such as schema validation, data scrubbing and validation, plus basic DoS and schema tightening for the developer's newest darling.
Finally, there's the challenge of creating a consistent application infrastructure that adjusts to rapidly changing business and security conditions by letting apps share common services. Think about it: Moving SOA and Web 2.0 security functions into a network device makes sense, because it's wholly consistent with SOA's overall principle of reuse. An appliance can complement end-node memory protection products by preventing attacks and eliminating data integrity issues before they do any harm.
