Application Security // Database Security
10/31/2013
02:29 PM
Adrian Lane
Adrian Lane
Commentary
50%
50%

Simple Security Is A Better Bet

Complex security programs are little better than no security

Last week I spoke with a firm to discuss compliance strategy for data privacy protection of personally identifiable information (PII). A number of state laws were potentially in play, including Massachusetts 201 CMR 17. We discussed what applications and databases were in use, how information moved, and some specific in-house issues. Then I discussed the different technology options for each platform that were available, mentioning which threats the products addressed and the relative cost of implementation and maintenance.

Even over the phone, I could hear heads spinning on the other side of the line. Too. Much. Information. And far too complex for them to come away with any coherent strategy or action plan. Forget running -- we needed to get to a crawl. It was clear the firm did not have the time, manpower, or budget to go through the full analysis process. And even if it did, it would have ended up with a half-dozen separate and distinct projects, each with its own learning curve, each with a different product to obtain, and each with a different skill for management.

That's where I simply cut to the chase: I advised a single technology, in two specific implementations, that provided basic security across all of the platforms for all of the use cases.

Why? Because it was going to address most of the issues the company had -- it was not even fully aware of the issues it needed to address -- and it was within its capability to implement. I hate to do this because sometimes it feels like compliance for the sake of compliance. Personally, I like to pick tools and technologies that best fit my category of need, be it compliance, security, or whatever. That said, sometimes best of breed is not possible. Selecting "the best" technical solutions app by app creates project and operational complexity that would simply never work in this case.

I've talked a lot on this -- here and on the Securosis blog -- about how complexity makes it harder to do security. Certainly guys like Bruce Schneier and Dan Geer have covered this in great detail as well. Examples I've witnessed firsthand, such as security settings being difficult to check, made it more likely people will make a mistake or skip the process entirely. If code is hard to read, then code reviews are less effective. Complexity makes things hard to understand and, in turn, results in less effective security -- in this case, complexity from an implementation and management perspective. Getting 90 percent of the way home was better then outright failure.

Does this sound cliche? Sure, it does. Do companies still bite off more than they can chew? Absolutely. The person who wants the work done is a specialist and wants things done to his or her standards, often beyond IT's capabilities. It's a reality for many IT organizations that the best choice is often the simplest to implement, or the simplest to use.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shidisu
50%
50%
Shidisu,
User Rank: Apprentice
11/18/2013 | 10:20:14 PM
re: Simple Security Is A Better Bet
Your analogy is flawed. Its more like "Well, he really should have this <insert complexity=""> and that <insert complexity=""> to be 99% cured, but since this guy is performing the procedure himself and dosnt have the expertise/time/resources to get to 99%, he can perform a simpler procedure that will get him to 90% NOW and will be able to get the other 9% down the road.</insert></insert>
knowlengr
50%
50%
knowlengr,
User Rank: Apprentice
11/16/2013 | 5:41:42 AM
re: Simple Security Is A Better Bet
So you go to the hospital and you overhear the physicians saying, "Well, he really needs this <insert complexity=""> and that <insert complexity="">, but since this guy doesn't know the difference, let's go with something simple instead.

Speaking of simple, the Schneier link has been moved.</insert></insert>
webbjh3
50%
50%
webbjh3,
User Rank: Apprentice
11/15/2013 | 9:38:57 PM
re: Simple Security Is A Better Bet
Adrian, I fully support the idea of simplifying our systems and our lives. However, one solution that addressed all use cases? I really would like for you to share that silver bullet with us all... As a very small start up I am already looking at 5-6 technologies.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?