EYE ON SECURITY

The World of Secure Development.

November 2006

I admit it. When the word "security" pops up, IBM isn't the first company that comes to mind.

That's good and bad. On the good side, IBM isn't prone to generating the negative news that, say, a Microsoft often does. On the bad side, the company has antivirus and anti-spyware tools that you don't hear much about either.

As it turns out, IBM has an entire group -- the Internet Security Systems -- which hasn't appeared on my radar until now. That's probably my fault, not IBM's. The core security activity is based on IBM's acquisition of Internet Security Systems (ISS)--an acquisition that was announced on August 23, 2006. Okay, so I wasn't paying attention and missed the press release.

ISS is a company that has been around since the mid 1990s, focusing on vulnerability assessment and intrusion detection/prevention technologies has been around since1994. IBM will keep the ISS X-Force research and development team and link its expertise with IBM Labs. And since the research results that come out of IBM Labs is generally quite impressive, it is worth watching the X-Force and ISS teams as they move into the future.

Posted by Jon Erickson at 01:41 PM  Permalink |

Responsible for a big-time database? Worried about security? If so, you might want to take a look at a report complied by Eric Ogren, a security analyst for Enterprise Strategy Group, that examines security vulnerabilities in MySQL, Oracle, SQL Server, Sybase, and DB2.

What Ogren found was that, assuming proper execution, Microsoft's SQL Server exhibited fewer vulnerabilities than all others. More specifically, based on Common Vulnerabilites and Exposures (CVE) data documented in the National Vulnerability Database:

• Oracle has 70 vulnerabilities
• MySQL has 59
• Sybase has seven
• DB2 has four
• SQL Server has two

According to Ogren, some of the security-related features built into Microsoft's SQL Server has helped keep its number of reported bugs to a minimum.

As reported by Kelly Jackson Higgins of Darkreading.com, Ogren notes that Microsoft's latest development strategy of baking security into the code from the get-go has made SQL Server safer, as well as the fact that it disables by default the riskier options like Windows command shells and SQL browser service, which could be used by attackers. It also uses authenticated identity, where a user only gets to see what he is authorized to see in his database searches, Ogren says.

Posted by Jon Erickson at 01:38 PM  Permalink |

The Gang of Four started something when they began documenting design patterns for writing software.

It didn't take long for other patterns -- enterprise patterns, test patterns, and even anti-patterns -- to pop up. The most recent patterns to be documented are "attack patterns."

Attack patterns are common attack approaches from the set of known exploits. Knowing and understanding common attack patterns help you improve the assurance profile of software. Sean Barnum and Amit Sethi have published a series of excellent papers on the subject, starting with Introduction to Attack Patterns which, as its title suggests, introduces attack patterns from concept to terminology.

This is followed by articles on Attack Pattern Generation, Attack Pattern Usage, and the like.

Posted by Jon Erickson at 10:19 AM  Permalink |

Seagate's announcement that it was taking another run at encrypted hard drives for notebook PCs is interesting, to say the least.

In a nutshell, what the company said was that in the first quarter of 2007, it would start delivering its Momentus 5400 FDE.2, short for "Full Disk Encryption 2" -- a 2.5-inch drive with hardware-based, full disk encryption. All cryptographic operations and access control are performed by a separate chip within the drive. Only a password will be necessary to authenticate for drive access.

At the heart of the upcoming system is Seagate's DriveTrust technology which is built in part on algorithms that includ AES, TripleDES, public key (RSA), and SHA-1.There are parts of DriveTrust that Seagate touts that I don't get quite yet. For instance, it is a drive-level security that requires no patches, updates, or upgrades, freeing IT organizations from having to distribute software updates or manage software versions. (So what happens if someone breaks the security?) Information stored on DriveTrust drives can be instantly erased (by whom?).

One interesting part is that DriveTrust gives ISVs a platform for building security applications via the DriveTrust SDK. Seagate is also working with the Trusted Computing Group (TCG) standards body to standardizeDriveTrust's encryption, authentication tools, and other security building blocks in a formal TCG storage specification that is scheduled for public release in early 2007. The TCG specification will enable manufacturers of hard drives and devices that use them to easily deploy security capabilities such as encryption and user authentication.

Posted by Jon Erickson at 10:23 AM  Permalink |