Software manufacturers have no sense for IT security

27 September 2014

Manufacturers of scientific software could make one’s life really hard. For ease of their own business they make detailed specifications about the software versions required for the operation of their software, e.g. Apache HTTP server version 2.4.2, Tomcat version 7.0.12, Java Version 1.6, Oracle Patchlevel 8 for a 3-tier application. In the worst case they will not offer support if discrepancies are found.

Actually, you have to freeze the system and hope for the next patch or minor release before you can install urgently needed security patches to the operating system, HTTP service, middle ware, etc.

Unfortunately the attack surface of a company increases when unpatched systems and applications are operated inside the company network.

Hilbert curve, first order. Source: Wikipedia

Hilbert curve, first order.

In a well-protected IT system, where all known vulnerabilities are mitigated, the attack surface could be visualized as a first order Hilbert curve. This a curve of limited length. Everything’s under control, the CIO isn’t losing any sleep over the matter.

Hilbert curve, first and second order. Source: Wikipedia

Hilbert curve, first and second order.

Adding an unpatched application system to your network may result in a Hilbert curve of second order.

Hilbert curve, sixth order. Source: Wikipedia

Hilbert curve, sixth order.

Usage of default passwords for your database and file servers could be visualized as Hilbert curve of third order. Operation of lots of unpatched application systems may result in a Hilbert curve of sixth order.

This is a beautiful Picture, but the message is clear:
Nothing’s under control in this environment. 

By adding this vulnerabilities the attack surface, respectively the length of the Hilbert curve, has been increased significantly. And the CIO suffers from sleeplessness.

I often hear from application operators: Don’t panic! Everything will go well because ultimately, we run the systems inside the company network. People from Cologne would say ‘Et hätt noch emmer joot jejange!’ (Constitution of Cologne, Paragraph 3)

Sadly, I can’t share this view. Remind the latest security breach of the website. It took a month until the intrusion was detected. This was enough time to attack other systems inside the network. And unpatched systems, which are built upon open source software, are truly worthwhile Targets.

In my opinion, software manufacturers must build their software such, that the dependencies on the underlying software systems are minimized. This will give us the opportunity to mitigate vulnerabilities shortly after they are published.

Moreover, this will cut costs because we do not have to operate such systems in very special security islands.

Have a good weekend.

All Pictures: Source Wikipedia, Hilbert curve