Wednesday, December 27, 2006

Maybe I'm not too far off

Ok, so maybe my previous posting wasn't too crazy. Just came across a nice little piece named "Vulnerability Assessment is dead, can I sell you a scanner?" by Alan Shimel of StillSecure. Seems that they actually have products that play in the space I figured ought to exist, only they take it a little further with NAC as well.

I'm not sure I buy the argument that NAC is the next step, given that NAC solutions haven't been proven to be what you'd call reliable or even workable. See - "Bypassing NAC Solutions". Its by a NAC vendor so YMMV, but still makes some good points.

We could just stop running such crappy operating systems, applications, etc. Of course, as Jeremiah Grossman points out in - The future of web application vulnerability assessment is about scale - even if we weren't building on top of quicksand, we're still pretty much screwed.

Thursday, July 27, 2006

Security thoughts for the day

I promised a security thought. Here it is.

I've done quite a bit of investigations of configuration management tools. Tools like cfengine, pikt, opsware, bladelogic, and even my own homegrown stuff. All of them have their plusses and minuses. One thing that some of them are branching into is policy-based configurations and auditing, rather than just configuration management. Bladelogic for example turns the CIS (Center for Internet Security) Best Practices guides into a policy they can audit against. Two sides of the same coin perhaps, but more on that later.

There is a whole different space of security tools out there that I thing are closely related. Tools like Symantec's ESM and Elemental Security's offerings. These are security auditing tools that let you model security settings in some sort of policy language and then audit against it. There are probably other vendors out there too, people like bindview.

There are also a whole bunch of network vulnerability scanning tools such as Nessus, ISS, nCircle, Qualys, etc. Some of these are evolving to be able to do local scanning of systems for local vulnerabilities rather than just probing things over the network. One of the problems with remote probing of local vulnerabilities is that you need a language capable of scripting actions on multiple platforms, you need to store credentials for the hosts, and you need a language or format for describing what a local vulnerability looks like. Turns out this is a problem that people like Elemental and Symantec (formerly Axent) have already solved. They have a policy language capable of describing a proper configuration from a security standpoint, and they are capable of auditing for compliance.

The way I see it a few of these vendors need to get in bed with each other. Creating a security policy and describing it in machine language form is just a special case of a configuration. Its a security configuration, but its really no different in a lot of ways than anything else you'd want to manage from a configuration management tool.

I'd really like to see a merging of tools in these related spaces so that from a single vendor, or at least a single console, I can both check for and enforce security configurations on my machines. I could also manage all of my other configurations from the same tool to detect deviations.

Throw in some tripwire-like functionality and you've got a real winner and the start of what people are calling autonomous computing, self-healing systems, etc.

I think I'm not nearly smart or energetic enough to turn this into a product idea, but maybe someone will read this and tell me they're already working on it.