Acknowledging the Importance of Web Security
Two recent articles in the mainstream technical media are helping to bring increased awareness to the importance of web security as a key component in the overall security picture.
With acknowledgement of the increasing difficulty of spreading malware through traditional channels (email), Paul Henry suggests that the web is becoming the dominant distribution channel for malware.
Supporting this argument through figures that point to increasing numbers of websites hosting malicious content, Paul fails to recognise that the recent explosion in the number of sites hosting malicious content has largely been due to hosting providers that were compromised through known weaknesses in their hosting solutions (especially of systems with numerous virtual hosts).
There are still increasing numbers of dedicated malicious sites, but this analysis (like many) fails to properly account for previously trusted sites that are temporarily compromised by an attacker or via included third party content (such as banner ads). This sort of problem will forever be the Achille's heel of programs like SiteAdvisor and browser-based phishing protection.
Although the article at ZDNet is a press release masquerading as news (guess who has a vested interest in the product hawked in the article), it does raise some valid points that people outside of the web security sphere may not have been aware of, but should be informed about.
A better article, over at C|Net, identifies some of the problems associated with web security, particularly in terms of creating and implementing standards.
The assertion that the industry is 'basically making up web security as it goes along', however, is somewhat unfair. Perhaps this is the case in companies where there is not even a basic understanding of web security, but there is a growing repository of freely available information and common baseline knowledge that will propel companies and developers a long way towards implementing reasonable levels of security.
Beyond reasonable security the situation changes. It becomes like the rest of Information Security, where a small set of researchers and attackers are constantly probing away at the edges of what is known - seeking to improve the common knowledge (or improve the ability to attack and control).
Creating and implementing standards that can get entities to a level of reasonable security is the difficult part (as the article points out). Any standards body risks becoming irrelevant as soon as a standard is published (just like every other standards body), particularly with the rapid pace of security research and discovery. It doesn't take much research to find examples of this (PCI DSS), but the ongoing efforts of groups like OWASP and WASC are likely to form the initial basis of any eventual standards (it would almost be criminal for them not to).
29 June 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.