Application Security // Database Security
10/31/2013
02:29 PM
Adrian Lane
Adrian Lane
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Simple Security Is A Better Bet

Complex security programs are little better than no security

Last week I spoke with a firm to discuss compliance strategy for data privacy protection of personally identifiable information (PII). A number of state laws were potentially in play, including Massachusetts 201 CMR 17. We discussed what applications and databases were in use, how information moved, and some specific in-house issues. Then I discussed the different technology options for each platform that were available, mentioning which threats the products addressed and the relative cost of implementation and maintenance.

Even over the phone, I could hear heads spinning on the other side of the line. Too. Much. Information. And far too complex for them to come away with any coherent strategy or action plan. Forget running -- we needed to get to a crawl. It was clear the firm did not have the time, manpower, or budget to go through the full analysis process. And even if it did, it would have ended up with a half-dozen separate and distinct projects, each with its own learning curve, each with a different product to obtain, and each with a different skill for management.

That's where I simply cut to the chase: I advised a single technology, in two specific implementations, that provided basic security across all of the platforms for all of the use cases.

Why? Because it was going to address most of the issues the company had -- it was not even fully aware of the issues it needed to address -- and it was within its capability to implement. I hate to do this because sometimes it feels like compliance for the sake of compliance. Personally, I like to pick tools and technologies that best fit my category of need, be it compliance, security, or whatever. That said, sometimes best of breed is not possible. Selecting "the best" technical solutions app by app creates project and operational complexity that would simply never work in this case.

I've talked a lot on this -- here and on the Securosis blog -- about how complexity makes it harder to do security. Certainly guys like Bruce Schneier and Dan Geer have covered this in great detail as well. Examples I've witnessed firsthand, such as security settings being difficult to check, made it more likely people will make a mistake or skip the process entirely. If code is hard to read, then code reviews are less effective. Complexity makes things hard to understand and, in turn, results in less effective security -- in this case, complexity from an implementation and management perspective. Getting 90 percent of the way home was better then outright failure.

Does this sound cliche? Sure, it does. Do companies still bite off more than they can chew? Absolutely. The person who wants the work done is a specialist and wants things done to his or her standards, often beyond IT's capabilities. It's a reality for many IT organizations that the best choice is often the simplest to implement, or the simplest to use.

Adrian Lane is an analyst/CTO with Securosis LLC, an independent security analyst firm. Special to Dark Reading. Adrian Lane is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shidisu
50%
50%
Shidisu,
User Rank: Apprentice
11/18/2013 | 10:20:14 PM
re: Simple Security Is A Better Bet
Your analogy is flawed. Its more like "Well, he really should have this <insert complexity=""> and that <insert complexity=""> to be 99% cured, but since this guy is performing the procedure himself and dosnt have the expertise/time/resources to get to 99%, he can perform a simpler procedure that will get him to 90% NOW and will be able to get the other 9% down the road.</insert></insert>
knowlengr
50%
50%
knowlengr,
User Rank: Apprentice
11/16/2013 | 5:41:42 AM
re: Simple Security Is A Better Bet
So you go to the hospital and you overhear the physicians saying, "Well, he really needs this <insert complexity=""> and that <insert complexity="">, but since this guy doesn't know the difference, let's go with something simple instead.

Speaking of simple, the Schneier link has been moved.</insert></insert>
webbjh3
50%
50%
webbjh3,
User Rank: Apprentice
11/15/2013 | 9:38:57 PM
re: Simple Security Is A Better Bet
Adrian, I fully support the idea of simplifying our systems and our lives. However, one solution that addressed all use cases? I really would like for you to share that silver bullet with us all... As a very small start up I am already looking at 5-6 technologies.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio