Unfortunately, we suspect that the vulnerability landscape will get worse before it gets better. Over the past few years the number of discovered vulnerabilities in commercial products has risen dramatically.
Complicating matters, the management lines between application development and system, network and database administration continue to blur, particularly in regard to zones of security control. For example, administration and security of the OS (and the subsequent patching) still clearly falls under the jurisdiction of the system administrator, but his or her security efforts can be completely foiled by a single bad application; if an application developer places a vulnerable CGI form on a previously secure Web server, much of the system administrator's security controls may be bypassed. The network administrator can't be held responsible for insecure systems, and the security-conscious application developer can still be thwarted by a careless database administrator. The dependencies among administrative teams are growing ever more web-like, and these areas of authoritative haze will only be complicated by the adoption of new technologies, such as Web services.
Most organizations have two choices: Continue what they are doing and continue operating with large risk/exposure profiles, or invest in more mature vulnerability-management efforts. Those efforts must include both the tools and processes to quickly and effectively identify, and respond to, an ever-evolving set of threats. Forward-thinking organizations will not only build out better vulnerability-management systems, they will also become more security-conscious in their purchasing decisions. The safety of their data, and their businesses, depends on it.
Greg Shipley is the CTO for Chicago-based security consultancy Neohapsis. Write to him at [email protected].
Post a comment or question on this story.
Vulnerabilities--flawed OSs, defective custom applications and poorly designed networks--constitute a clear danger to enterprises. A critical component of any vulnerability-management process is identifying those areas of potential risk. In this article, we provide a guide to rooting out and exterminating the bugs in your machines. Key are laying out both tactical and strategic lines of attack, making security a principal factor in product purchasing decisions, and choosing and deploying your tools wisely.