Tuesday, March 5, 2013

Raising awareness concerning software vulnerabilities

Software vulnerabilities that allow a large variety of badness to happen is something that all enterprise information security professionals need to address. Where, a decade ago, we were mostly chasing after operating system bugs, and shortly after that, middleware bugs, we now seem to be focused solidly on patching bugs in application land. Those bugs range from flaws in web browser software to vulnerable document viewers and code interpreters subject to attack and privilege escalation.

It seems that the latest round of 0-days is focusing a lot on Oracle products. Java has been in the spotlight for quite a few years now, and the security track record has never been stellar. However, 2013 seems to set a new, albeit dubious, high with regards to both the frequency at which vulnerabilities are discovered as well as the severity of those vulnerabilities.

To inform my fellow IT staff of that trend, I posted this little poster on the wall outside my office. Like many organizations, we rely on Java for several enterprise applications, and the primary goal of the poster was to raise awareness within the IT team that Java is software that should be treated just like an operating system.

In other words, manage versions wisely, migrate off branches that reach end-of-life before it happens, and apply patches whenever they are released, and do so fast.

I underestimated the response that I would get.

My Twitter feed, normally sedate, lit up with retweets and favorites and I would say about half of the IT staff that passes by my office on a regular day stopped by to have a little conversation about my "artwork". That gave me an opportunity to explain to many of them what it means when 0-days are out in the wild and patches are  not available. A good number of them went back to their desks and either removed Java altogether, or they patched and updated it.

Even better, when I came back from lunch, creative individuals had already updated my poster for Java 7 update 17 that was released half than 30 minutes before that point! Talking about effective engagement: not only did I have a chance to explain 0-day badness to IT folk, they even ran with it and made it a collaborative group effort.

In another day or so, I'll take the sheets down again. Having them up any longer means that people will start ignoring them, and nobody wants that.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.