The trend of accelerating hardware development is getting scary for software folks. According to CNET, Google's Project Zero recently discovered major vulnerabilities in OS X, notified Apple of the issue and — after 90 days — published its findings per its standard practice. At that time, Apple had still not solved the bug.
There is little doubt these vulnerabilities (and their lack of resolution three months later) is a direct result of the mounting pressure to build sexy new software for the company's next hardware launch party, but that reality is not receiving enough attention. Discussing what major enterprises like Apple and Microsoft should do to resolve the hardware-software dichotomy is beyond unwieldy, but there is plenty about this trend that affects devs on the AppSec level. This rash of news about big-software vulnerabilities should be a powerful reminder that trust cannot be assumed — no matter who's asking for it.
It's a common refrain in the third-party application security world, but trust has to be earned. It's tempting to save time by assuming bigger brands with lofty reputations must be safe, but even OS X and Windows should be scrutinized by your security solution to understand where any vulnerabilities are and how they might affect your enterprise.
In the case of the specific vulnerabilities Google outlined recently, the flaw can only be exploited if an attacker has access to a "targeted Mac," which alleviates a lot of concerns about general network security. Still, the fact that there are chinks in such a major manufacturer's armor creates a concerning atmosphere about implicit trust. The best thing to keep in mind is that unless you're still doing AppSec manually, this doesn't really add any work for you — it just means the strength of your security software is more important than ever, as vulnerabilities are no longer exclusive to small-shop software.
On the other hand, remember: Some threats are bigger than others, and part of a comprehensive AppSec approach is understanding which threats mean what to your enterprise. If access to your machines is closely guarded, then the concern of one exploit that requires physical access to specific Macs is not high. It's important to parse through the hype and hysteria to understand what the flaws that Google's elite hackers find actually mean. In some cases, such news serves as nothing more than a reminder that you can't trust software just because it comes from a big enough name. In others, it's something much larger.
Big tech is not trying to maliciously hack you. (Maybe it's harvesting some data that it can use to personalize messages and sell things to you, but that's a story for another day.) The enemy of a secure enterprise is any software vulnerability that could be exploited by a cybercriminal. As long as your security solution is equipped to scrutinize OS X and small-shop website widgets to the same degree, then there's no cause for alarm just yet. You can feel sorry for the developers who have to keep up with the hardware stuff from original equipment (OE) manufacturers — but not sorry enough to cut them any slack. After all, you know what happens when you assume trust.
The good news is great application security software is unbiased. It evaluates all source code and remains vigilant while hunting vulnerabilities in everything from operating systems to plug-ins. If you have world-class AppSec, it's fair to assume it knows more about the news than you do. So by the time Google announces it has found vulnerabilities that Apple hasn't fixed, your network is already protected. With cutting-edge security software and security divisions designed with the public in mind, it's possible to create a safer web for business. Even if that means big-tech brands have to keep hacking one another to keep devs honest.
Photo Source: Flickr