North America’s information security royalty will be in San Francisco next week for The RSA Security Conference. It’s the security industry’s biggest, annual conference. And, like the information security industry itself, RSA is booming.
The topic of application security – a side-discussion ten years ago - now warrants its own, separate track at RSA. That’s a good thing. High visibility at RSA sends a message that application security is an important area that warrants attention from investors and from larger technology firms that might otherwise sniff out some black-box “magic bullet” security story.
But the discussion of application security that will take place at RSA is changing also, to reflect what I would call subtle, but a radical change in the way that software is created and delivered.
Though estimates vary, there is agreement that the next decade will see billions (tens of billions? Hundreds of billions?) of Internet-enabled devices come online, the vast majority will look nothing like the desktop PCs, laptops and servers that dominated the Internet landscape in the last 20 years. Already, those software-powered devices are proving themselves to be just as unreliable as the Windows-based desktops and servers of the last twenty years – if not more so.
Some examples? On my blog this week, I reported on research by the security firm IOActive about serious security holes affecting WeMo home automation products from Belkin, including poor design and implementation of SSL that could allow anyone to impersonate Belkin’s cloud based management servers and remotely control WeMo devices in a home. Also this week, the security firm Rapid7 warned of a point-and-click exploit for a long-patched vulnerability in Android’s WebView programming interface that could allow attackers to take control of a healthy chunk of all deployed Android mobile devices.
The message: software application development is happening across a much wider population of platforms, while software powered devices are cropping up in unexpected ways in both homes and workplaces.
However, few of the hard-learned lessons of the last decade appear to be making the journey. After its software became synonymous with worms and viruses, Microsoft poured billions into hardening its operating system and making technologies like Address Space Layout Randomization and Data Execution Protection standard fare on its operating system. Microsoft’s Windows still runs most of the world’s computers. But aspiring hackers today are far more likely to poke around non-Windows systems including mobile OSs like Android and iOS and embedded devices, especially when smart device makers see fit to launch poorly secured, loosely configured Linux devices (with cloud back-ends) into the mass market and hope that nobody notices.
Why is that? Writing this week on IOActive’s blog, researcher Cesar Cerrudo blamed what he termed “data ambition” for increasing the attack surface of smart devices.
For example, Cerrudo smart device makers such as NEST often force management of remotely deployed devices to be routed through their ‘vendor cloud,’ rather than allowing customers to connect directly to- and manage their devices locally. That provides the device maker with a wealth of information about how its customers interact with its product. However, it also creates a huge target for malicious actors as hacking the vendor’s cloud would give an attacker access to thousands- or tens of thousands of devices and customer information.
RSA hasn’t fully embraced the shift but there are a few talks worth seeking out where experts will be discussing issues that I think are germane to where the application security conversation is going.