Tag Archives: complex software packages

Software manufacturers have no sense for IT security

27 September 2014

Manufacturers of scientific software could make one’s life really hard. For ease of their own business they make detailed specifications about the software versions required for the operation of their software, e.g. Apache HTTP server version 2.4.2, Tomcat version 7.0.12, Java Version 1.6, Oracle Patchlevel 8 for a 3-tier application. In the worst case they will not offer support if discrepancies are found.

Actually, you have to freeze the system and hope for the next patch or minor release before you can install urgently needed security patches to the operating system, HTTP service, middle ware, etc.

Unfortunately the attack surface of a company increases when unpatched systems and applications are operated inside the company network.

Hilbert curve, first order. Source: Wikipedia

Hilbert curve, first order.

In a well-protected IT system, where all known vulnerabilities are mitigated, the attack surface could be visualized as a first order Hilbert curve. This a curve of limited length. Everything’s under control, the CIO isn’t losing any sleep over the matter.

Hilbert curve, first and second order. Source: Wikipedia

Hilbert curve, first and second order.

Adding an unpatched application system to your network may result in a Hilbert curve of second order.

Hilbert curve, sixth order. Source: Wikipedia

Hilbert curve, sixth order.

Usage of default passwords for your database and file servers could be visualized as Hilbert curve of third order. Operation of lots of unpatched application systems may result in a Hilbert curve of sixth order.

This is a beautiful Picture, but the message is clear:
Nothing’s under control in this environment. 

By adding this vulnerabilities the attack surface, respectively the length of the Hilbert curve, has been increased significantly. And the CIO suffers from sleeplessness.

I often hear from application operators: Don’t panic! Everything will go well because ultimately, we run the systems inside the company network. People from Cologne would say ‘Et hätt noch emmer joot jejange!’ (Constitution of Cologne, Paragraph 3)

Sadly, I can’t share this view. Remind the latest security breach of the Healthcare.gov website. It took a month until the intrusion was detected. This was enough time to attack other systems inside the network. And unpatched systems, which are built upon open source software, are truly worthwhile Targets.

In my opinion, software manufacturers must build their software such, that the dependencies on the underlying software systems are minimized. This will give us the opportunity to mitigate vulnerabilities shortly after they are published.

Moreover, this will cut costs because we do not have to operate such systems in very special security islands.

Have a good weekend.

All Pictures: Source Wikipedia, Hilbert curve

Rule No. 5: Minimize the The Attack Surface

21 August 2014

Complex applications are composed of many infrastructure layers, e.g. database and file services or web services. Services are provided by one or many systems through complex software packages. All systems communicate with each other and with infrastructure systems like directory, naming or backup services. In order to simplify matters we omit the users.

Every operating system, software package, infrastructure service, etc. has vulnerabilities which could be used to attack the application. For example, the U.S. National Vulnerability Database (NVD) lists 9 vulnerabilities for the often used middleware JBOSS, all published in the past 3 month . On top we add some self-made vulnerabilities by our application design.

The set of all vulnerabilities is the known attack surface.

Please keep in mind:

[1] The whole is more than the sum of its parts!

[2] The unknown attack surface is greater than the known attack surface, and millions of hackers are working hard every day to detect new vulnerabilities.

Today’s standard answer to this challenge is patching, patching, … But from my point of view Security by Design shows a way out of the chaos. Application systems should be designed according to

Rule 5: Minimize the total attack surface!

What does this mean for the application/system design?

  • Decompose the application into separate functions, if possible provided by separate services
  • Minimize the number of interfaces between the application components
  • Minimize the number of 3rd party components
  • Relocate services onto separate encapsulated systems
  • Minimize the number of installed software packages per system
  • Minimize the dependencies on infrastructure services

The effort for build and run will be definitely higher, but the known attack surface will be much smaller.

Keep it smart and simple!