COM SECURITY TALK from INFILTRATE 2017: https://vimeo.com/214856542 Ok, so I have a concept that I've tried to explain a bunch of times and failed every time. And it's how not just codebases decompose, but also whole platforms. And when that platform cracks, everything built on it has to be replaced from scratch. Immunity has already gone through our data, like every other consulting company, and found that the process of the SDL is 10 times less of an indicator of future security than the initial choice of platform to build a product on. It's easier for people to understand the continual chain of vulnerabilities as these discrete events. They look at the CyberUL work and think they can assess software risk. But platform risk is harder. Some signs of cracking are: * New bugclasses start to be found on a regular basis * Vulnerability criticality regularly is "catastrophic" as bugclasses that used to be of low risk are now known to be of super high risk when combined together * Remediations become much more difficult than "simply patch" and often bugs are marked "won't fix" * Even knowing if you are vulnerable is sometimes too much work even for experts * Mitigations at first seem useful but then demonstrate that they do more harm than good From an attacker's standpoint, being able to smell a broken platform is like knowing where a dead whale is before anyone else - there is about to be a feeding frenzy. Whole careers will live and die like brittle stars upon the bloated decomposing underwater corpses of Java and .Net. Microsoft Windows is the same thing. I want to point out that two years ago when Microsoft Research gave their talk at INFILTRATE, initially nobody took any notice. But some of us forced research on it, because we knew that it was about the cracking of an entire platform - probably the most important platform in the world, Active Directory. From a defensive standpoint, what I see is people are in denial this process even exists. They think patching works. They want to believe. From an architectural standpoint, Windows is only two things: COM and Win32api. Forshaw has broken both of them. And not in ways that can be fixed. What does that mean? Anyways, watch the video. :)
No comments:
Post a Comment