If you're interested in the future of security as it relates to SOA, then you cannot miss this Wednesday's ebizQ webinar titled, Evolving Security Architectures and SOA for Better Business Collaboration, and which you should sign up for right here.
Found an interesting blog where Rich Mogull lays out his vision for the future of application and database security, focusing on innovations that force change, rather than ones that merely nudge us to steer slightly around some new curves (would an apt analogy be the invention of the car, versus the invention of car cup-holder?).
As he says: "In the security world, these forces/disruptions come from three angles: business innovation, threat innovation, and efficiency innovation. The businesses we support are innovating for competitive advantage, as are the bad guys. For both of them, it's all about increasing the top line. The last category is more internal: efficiency
innovation to increase the bottom line."
Here are Mogull's (somewhat contentious) conclusions:
1. Web browsers are inherently insecure.
2. We have a massive repository of insecure code that grows daily.
3. The volume of sensitive data that's accessible online grows daily. The Internet and web applications are powerful business tools. It only makes sense that we connect more of our business operations online, and thus more of our sensitive data and business operations are Internet accessible.
4. The bad guys know technology.
5. The bad guys have an economic infrastructure. Not only can they steal things, but they have a market to convert the bits to bucks.
6. Bad guys attack us to steal our assets (information) or hijack them to use against others.
7. Current security tools are not oriented to the right attack vectors.
8. We do not have the resources to clean up all existing code, and we can't guarantee future code, even using a secure SDLC, won't be vulnerable.
9. Code scanning tools and vulnerability analysis tools can't catch everything, and can't eliminate all false positives.
10. We're relying on more and more code and web services developed by others.
11. "Web applications" is a misnomer- we mean the entire stack: web servers, web application servers, the databases behind them, and all the various interconnected n tiers. Many of these are internally accessible, creating an additional vector for attack.
Mogull's proposed solutions:
1. We need to include browser elements, but can't trust the browser.
2. We need to monitor and enforce at the transaction level, both for audibility and for logic flaws and other security issues.
3. Such monitoring and enforcement needs to run from the browser to the database.
4. Any solution needs to understand the application and database, not just layer over it.
5. We need to filter anything we pass on to the user.
6. We need to focus on protecting the information.
Leave a comment