SYS-CON MEDIA Authors: Sematext Blog, Liz McMillan, Elizabeth White, Carmen Gonzalez, Pat Romanski

Related Topics: Cloud Security, Microservices Expo, @CloudExpo

Cloud Security: Blog Post

The Bigger the Base the Larger the Blast Radius By @LMacVittie

Information security decision making is a constant balancing act of risk versus reward, disruption versus dependability

At the end of the year, WhiteHat Security posted an interesting blog titled, "The Parabola of Reported WebAppSec Vulnerabilities" in which a downward trend in web application vulnerabilities (as collected by the folks at Risk Based Security's VulnDB) was noted beginning in 2008 after having been on an upward trend since 1994 (hence the use of parabola to describe the histogram of reported vulnerabilities. See hastily composed diagram on left. A very angular looking parabola but a parabolic shape nonetheless).

web app sec trend 2014 to 1994

The author further postulates some possible explanations for this trend. including a "more homogeneous Internet", which is explained as:

start_quote_rbIt could be that people are using fewer and fewer new pieces of code. As code matures, people who use it are less likely to switch in favor of something new, which means there are fewer threats to the incumbent code to be replaced, and it’s therefore more likely that new frameworks won’t get adopted. Software like WordPress, Joomla, or Drupal will likely take over more and more consumer publishing needs moving forward. All of the major Content Management Systems (CMS) have been heavily tested, and most have developed formal security response teams to address vulnerabilities. Even as they get tested more in the future, such platforms are likely a much safer alternative than anything else, therefore obviating the need for new players.end_quote_rb

That seems a logical (and likely) explanation. The continued refinement of highly leveraged code ultimately reaps the benefit of being more secure. It's like realizing the benefits of a thousand code reviews instead of the usual three to five colleagues. Certainly the additional scrutiny has rewards in the form of greater stability (fewer kinks need to be worked out because, well, they've already been worked out) and improved security (almost all the holes have been found and patched).

The code base is also likely well-documented and supported by an active community, making it an attractive choice for developers looking for a framework or system with a robust, extensible repository of "extras" and "options".

It's a win-win-win situation.

I know what you're thinking - there's one too many "wins" in that equation. There's the developers of the framework or system and the consumers. It should be win-win, shouldn't it?

Au contraire, mes amis!

The third win is, in fact, for the bad guys. The attackers. The would-be infiltrators and destroyers of your web application.

Consider that two of the most disruptive (and effective) vulnerabilities of 2014 were discovered in just such code bases. Long-lived, well-supported, widely distributed. Perpetrated against platforms that, like application frameworks and platforms, are highly disruptive (and costly) to patch when such vulnerabilities are discovered.

[ Heartbleed and Shellshock were highly disruptive and perpetrated against industry de facto standard technology ]

Attackers, on the other hand, have a field day because the homogenous and entrenched technology means many weeks (perhaps months) of systems ripe for exploit. It's harvest time for the bad guys.

Now, I'm not saying we shouldn't be using well-established, "seasoned" platforms. I am saying that (potentially) diminishing vulnerabilities does not mitigate all the risk associated with a platform or technology. Certainly every year the platform is in use, the risk of vulnerabilities existing decreases. But this also means the damage from the exploitation of a heretofore undiscovered vulnerability increases because continued adoption and use of the technology expands its blast radius.

In other words, there is a converse relationship between the distribution size of an established (and assumed mostly-secure) technology platform and the potential damage incurred by the discovery of a vulnerability in it.

It is important to note the author states, "Even as they get tested more in the future, such platforms are likely a much safer alternative than anything else". Not safest. Not risk-free. Safer.

What that means is you need to consider not only the likelihood of an attack for established platforms and software (which is admittedly growing lower by the day) but the blast radius should a vulnerability be discovered. If all your sites are running on platform X and a vulnerability is discovered, what's the impact to your business?

Conversely, that risk must be weighed against the risk of custom or less well-established platforms being riddled with vulnerabilities and consuming valuable time and effort in constant evaluation and remediation cycles.

Information security decision making is a constant balancing act of risk versus reward, disruption versus dependability. What 2014 taught us is we should expect that a vulnerability will be discovered in even the most well-established platform, and plan accordingly.

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

Latest Stories
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
As the fourth industrial revolution continues to march forward, key questions remain related to the protection of software, cloud, AI, and automation intellectual property. Recent developments in Supreme Court and lower court case law will be reviewed to explain the intricacies of what inventions are eligible for patent protection, how copyright law may be used to protect application programming interfaces (APIs), and the extent to which trademark and trade secret law may have expanded relev...
Containerized software is riding a wave of growth, according to latest RightScale survey. At Sematext we see this growth trend via our Docker monitoring adoption and via Sematext Docker Agent popularity on Docker Hub, where it crossed 1M+ pulls line. This rapid rise of containers now makes Docker the top DevOps tool among those included in RightScale survey. Overall Docker adoption surged to 35 percent, while Kubernetes adoption doubled, going from 7% in 2016 to 14% percent.
In today's always-on world, customer expectations have changed. Competitive differentiation is delivered through rapid software innovations, the ability to respond to issues quickly and by releasing high-quality code with minimal interruptions. DevOps isn't some far off goal; it's methodologies and practices are a response to this demand. The demand to go faster. The demand for more uptime. The demand to innovate. In this keynote, we will cover the Nutanix Developer Stack. Built from the foundat...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It's clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Th...
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
Emil Sayegh is an early pioneer of cloud computing and is recognized as one of the industry's true veterans. A cloud visionary, he is credited with launching and leading the cloud computing and hosting businesses for HP, Rackspace, and Codero. Emil built the Rackspace cloud business while serving as the company's GM of the Cloud Computing Division. Earlier at Rackspace he served as VP of the Product Group and launched the company's private cloud and hosted exchange services. He later moved o...
Today, Kubernetes is the defacto standard if you want to run container workloads in a production environment. As we set out to build our next generation of products, and run them smoothly in the cloud, we needed to move to Kubernetes too! In the process of building tools like KubeXray and GoCenter we learned a whole bunch. Join this talk to learn how to get started with Kubernetes and how we got started at JFrog building our new tools. After the session you will know: How we got to Kuberne...
The Crypto community has run out of anarchists, libertarians and almost absorbed all the speculators it can handle, the next 100m users to join Crypto need a world class application to use. What will it be? Alex Mashinsky, a 7X founder & CEO of Celsius Network will discuss his view of the future of Crypto.
Docker and Kubernetes are key elements of modern cloud native deployment automations. After building your microservices, common practice is to create docker images and create YAML files to automate the deployment with Docker and Kubernetes. Writing these YAMLs, Dockerfile descriptors are really painful and error prone.Ballerina is a new cloud-native programing language which understands the architecture around it - the compiler is environment aware of microservices directly deployable into infra...
In his session at 20th Cloud Expo, Mike Johnston, an infrastructure engineer at Supergiant.io, will discuss how to use Kubernetes to setup a SaaS infrastructure for your business. Mike Johnston is an infrastructure engineer at Supergiant.io with over 12 years of experience designing, deploying, and maintaining server and workstation infrastructure at all scales. He has experience with brick and mortar data centers as well as cloud providers like Digital Ocean, Amazon Web Services, and Rackspace....
When Enterprises started adopting Hadoop-based Big Data environments over the last ten years, they were mainly on-premise deployments. Organizations would spin up and manage large Hadoop clusters, where they would funnel exabytes or petabytes of unstructured data.However, over the last few years the economics of maintaining this enormous infrastructure compared with the elastic scalability of viable cloud options has changed this equation. The growth of cloud storage, cloud-managed big data e...
Blockchain has shifted from hype to reality across many industries including Financial Services, Supply Chain, Retail, Healthcare and Government. While traditional tech and crypto organizations are generally male dominated, women have embraced blockchain technology from its inception. This is no more evident than at companies where women occupy many of the blockchain roles and leadership positions. Join this panel to hear three women in blockchain share their experience and their POV on the futu...
10ZiG Technology is a leading provider of endpoints for a Virtual Desktop Infrastructure environment. Our fast and reliable hardware is VMware, Citrix and Microsoft ready and designed to handle all ranges of usage - from task-based to sophisticated CAD/CAM users. 10ZiG prides itself in being one of the only companies whose sole focus is in Thin Clients and Zero Clients for VDI. This focus allows us to provide a truly unique level of personal service and customization that is a rare find in th...
The vast majority of organizations today are in the earliest stages of AI initiatives and this shift will be dramatic as more enterprises move forward in the AI journey. Although companies are at different stages of this journey, most agree that finding or developing analytic talent is a key concern and bottleneck for doing more. What if your business could take advantage of the most advanced ML/AI models without the huge upfront time and investment inherent in building an internal ML/AI data sc...