Nikolai Bezroukov offers an interesting view of Unix Security:
"The main problem with Unix security is that it is very similar to office cleaning services. It is a dull and unrewarding task that needs constant attention and often involves fighting against your own management."
This characterization may apply to Unix security, but it falls shy of being sufficient for web security in several respects:
It assumes that an office exists. Web applications span multiple servers, hosting sites and networks. Containing web applications to a particular domain of control may be a consideration during a design phase but this objective is often neglected during growth stages and ultimately abandoned.
It assumes that cleanliness is a design and operational objective. Web application cleanliness translates to keeping a web site clean of vulnerabilities. Few organizations put a premium on securing web applications over publishing content as quickly as humanly possible and considerable data are available to support this assertion (see Report: Nearly 6 Million Infected Web Pages Across 640K Compromised Sites).
It assumes a steady state of dull and unrewarding. WebSense reported that in 1H2009, over three-quarters of web sites with malicious code were found to be legitimate sites that had been compromised. That's not dull but dramatic and frightening. It's also rewarding but not for the legitimate web operators.
One aspect of Nikolai's characterization of Unix security that does apply is that web security is a task that needs constant attention. Specifically, every aspect of web application you host needs attention from design through deployment and continuing for as long as the application remains in a production environment.
Fighting with one's management is disputable. My experience is that management doesn't always fight against investing in securing web applications. The problem not whether management fights but when. Management rarely opposes investments in security in the aftermath of an incident involving a breach or defacement of a web site. Management needs to assess risk more carefully early and continuously during the lifetime of a web application and security staff need to help them by providing good data to assess that risk.
"The main problem with Unix security is that it is very similar to office cleaning services. It is a dull and unrewarding task that needs constant attention and often involves fighting against your own management."
This characterization may apply to Unix security, but it falls shy of being sufficient for web security in several respects:
It assumes that an office exists. Web applications span multiple servers, hosting sites and networks. Containing web applications to a particular domain of control may be a consideration during a design phase but this objective is often neglected during growth stages and ultimately abandoned.
It assumes that cleanliness is a design and operational objective. Web application cleanliness translates to keeping a web site clean of vulnerabilities. Few organizations put a premium on securing web applications over publishing content as quickly as humanly possible and considerable data are available to support this assertion (see Report: Nearly 6 Million Infected Web Pages Across 640K Compromised Sites).
It assumes a steady state of dull and unrewarding. WebSense reported that in 1H2009, over three-quarters of web sites with malicious code were found to be legitimate sites that had been compromised. That's not dull but dramatic and frightening. It's also rewarding but not for the legitimate web operators.
One aspect of Nikolai's characterization of Unix security that does apply is that web security is a task that needs constant attention. Specifically, every aspect of web application you host needs attention from design through deployment and continuing for as long as the application remains in a production environment.
Fighting with one's management is disputable. My experience is that management doesn't always fight against investing in securing web applications. The problem not whether management fights but when. Management rarely opposes investments in security in the aftermath of an incident involving a breach or defacement of a web site. Management needs to assess risk more carefully early and continuously during the lifetime of a web application and security staff need to help them by providing good data to assess that risk.
Love the analogue , Office cleaning is truly dull but its one of those tasks that has to be done to maintain a good working environment very much like the day to day security tasks on a server box
Posted by: Steve | Monday, 30 November 2009 at 04:16 PM