There are 3 influencing factors in security which warns us of potential security danger.
1. The first fact is called “learned helplessness”: New technologies are constantly being discovered and developed. These new technologies need to be compatible with existing solutions. This is the “backward compatibility” problem of technology deployments. New technologies are developed to meet the need for greater security. The question is what happens to the old technology? Will they still be supported? Achieving backward compatibility is important. Developers need to focus on new technology and combine the legacy technology to the new one with minimal attention to the legacy’s effects. The most direct solution allows the modern and legacy technology to be achieved simultaneously by compromising the robustness and security strength of the new technology to match that of the legacy solution. From a security stand point, what is important is how backward compatibility will be accomplished without degrading security of the new systems.
What Microsoft did was force their new system to talk to both legacy and current protocol without considering the legacy security issues. What Microsoft could do was to have required the legacy systems to patch the functions required to support logging a final end of life upgrade to the legacy systems.
2. The other issue with security of products is how they are tested to see if there are any flows in those products and how often they go belly up when they are confronted with fuzzed input. For example Microsoft considers a good users experience but they don’t consider adversarial users. They don’t consider that their application would be deployed in hostile environments. And this makes it easy for attackers to exploit “confirmation traps”.
3. The other fact is “functional fixation.” When we talk about security, the concept of functional fixation helps us to understand what is beyond the security. For example, many people think security products increase the security of their system or organization. But this security software might include all sorts of common programming vulnerabilities, such as; unchecked execution, local buffer overflows and lack of authentication in auto update activities which might allow them to be used by attackers.
Reference:
Oram, Andy, Viega, John (2009). “Beautiful Security, Leading Security Experts Explain How They Think”, Copyright 2009 O’reilly Media, Inc.
No comments:
Post a Comment