Should network and application security proceed along separate, independent tracks?
Should software security focus solely on the in-context business issues concerning security, and have network security focus on not allowing the software and infrastructure to be undermined?
This is one of those concepts that has been brewing in the back of my mind for some time how. Different data, different availability, and different contexts provide different value propositions and I am not sure they are effective surrogates for one another. A bunch of Hoff’s posts add fire to this thought, and the whole Kaminsky debate shows the value of competition. We willfully merge network, sever and application security concepts as one and the same, and quite often use one to band-aid the other. It’s not working very well.
If competition makes us stronger, maybe we should just stop cooperating and start pointing the finger of blame at one another. Maybe we need a good turf war to generate security competition between IT & Development groups. The network Hatfields vs. the application McCoys, each working harder to make sure they’re not responsible for the next breach.
Reader interactions
3 Replies to “Network vs. Application Security”
Attackers do not use application or network tools exclusively. Ergo, no one should.
The attack vectors or vulnerability is only the surface of an attack. In order to understand how this vulnerability affects the organization, you must analyze the risk by investigating how can an attacker profit from this vulnerability, e.g., an attacker might leverage a client-side vulnerability in order to hijack a desktop and profit from its credentials to get to critical servers.
Cheers.
I think that the underlying theme here is that of “reoperationalization”, or returning operational functions to the specialist groups and having infosec be a governance function rather than a specialist technical function.
If the industry has learned anything, I hope it has learned that most companies can’‘t hire network, endpoint, architecture, application and etc security experts, but can leverage existing experts in these areas to also become security champions.
The theme here is dotted lines vs. solid lines, security as a matrixed org. Hard for some folks to deal with, but much more effective. I’‘d rather have 5 staff expert at providing consultative guidance on security principles and doing it well than 20 staff clinging to technical roles and failing in a way they can’‘t even understand.
Then, we security staff can focus on the real value providing asset, which is the information, which can be seen as a horizontal that crosses all the technology verticles.
I recall applying router ACL’s on Cisco 3000’‘s, and 2500’s in 1995, and IP filtering with Livingston Portmasters (and Cisco 7×00’‘s) in 1996. I remember the need for ‘‘no ip directed broadcast’’ around that same time. I remember upgrading code with rolling reboots over the course of many years. This is `real’’ network security.
DNS, Ethernet, WiFi and all other networking technologies are secure over the wire if you use SSL properly. Netscape had SSL in 1994. Everyone who has used a web browser since that time has probably had SSL support. SSL provides `real’’ network security.
Unfortunately, nobody ever implemented these technologies. SSL is used only for the “most sensitive” traffic (and often then it is redundant). It is rare to see proper filtering of IP source traffic on the outbound to prevent IP spoofing. I bet there are still networks that allow directed broadcasts. Routers and other network devices are notoriously out-of-date with their firmware, software revisions, etc. I’‘m sure that some people still login with telnet using cisco/cisco. Network security has been alive for at least 15 years, but we didn’‘t do our jobs. We continue to fail to get it right.
We never needed anything but the above technologies for network security to work. All of these “new technologies” have provided nothing extra. In my opinion, they only exist to sell products that organizations do not need. This has serious consequences to our industry, as network security has come to the forefront of information security. It sweeps the real problems (i.e. application security, IP spoofing, MITM, default passwords, etc) under the table, avoids them, and delays the inevitable.
Network security is not innovative. It’s not exciting. Besides basic IP filtering and SSL—it’s not even helpful. There will be no network security revival. We must fix our applications and implement the “right controls”.
The problem with modern IT shops is that they bothered with network security in the first place. We need to replace every network-security focused manager and staff person with an application-security expert-equivalent. We need to re-train and re-group these people. The developers will be ahead of them in no time. They will certainly have the last laugh.