Custom defense

[Dave Aitel <dave () immunitysec com>]

So I think the real market for future security is in custom attacks and
defenses. This is what I see people starting to work on, although they
call it by many names (IPS, etc). Custom defenses are also good because
they are great for monitoring, which is really what IDS was all about in
the beginning, before they decided that good monitoring required
thousands of signatures. I alluded to this in my OWASP talk recently,
but I'm seeing more and more companies take "test driven development" to
the logical extreme, of figuring out how they can detect attacks at the
application layer, and building that into their applications from day 1.

Even porting choices are custom attacks: Once Bas Alberts (you can see a
picture of him on our website, except it doesn't do justice to his
dimples) finished the PHP limit bug for CANVAS (released last week), we
then field requests from all our customers to prioritize our porting and
QA efforts. As much as I hate the "windows of vulnerability" nonsense,
this does, in fact, affect our 0day as well. We'll assess whatever a
target is running, and then see how far the bugs we find spread to other
platforms, versions, or target configurations. 

It could be wishful thinking on my part, but I see the industry heading
in two directions:
1. Custom attacks and defenses (in a domain specific and application
specific fashion). I expect this to become part of the default checklist
for smart enterprises in the near future, although it isn't now except
for the outliers. I don't mean "database scanners" by this though. I
mean "special parser for bobsapp log files that runs anomaly detection
on it"; I think there's a market for pluggable anomaly detection, for
example. 
2. Boring audits driven by regulation. HIPPA, etc. Application security
reviews are going to turn into checklists.

What I don't see is pure application reviews and various assessment work
ever leading to profitability in this market. It's just an impossible
business model to execute on when playing against a decent competitor.
For now, people are making money because the pool of people who can do
this kind of work is tiny and demand is strong. But PaX (in the form of
PaX and XP SP2) is going to change that. We're going to move towards a
mindset of complacence. (And, for those of you going on about
information warfare all the time, a position of complacence is the only
time a Pearl Harbor can happen. Otherwise it's just a bunch of meatball
airplanes getting shot out of the air while trying to commit suicide.)

-dave

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave