Okay, I know it took days before I was able to post this. I had a lot of deadlines to meet before Christmas. Over at his blog, Mike Murrray posted his security predictions for 2007, and since he tagged me, this is what I came up with.
Security nowadays is very very hard to accomplish since everything is now being increasingly digitalized and more importantly, networked. As 2007 approaches, Security professionals can not just roll over and play dead. We have to keep trying to because the alternative is worse. So here are my predictions for the coming year:
1. Inefficiency will continuously breed profit. Security professionals will continue to enjoy a surge in business and growing salaries yet the dismal situation that we are facing will continue. In the land of the blind, the one eyed man is king.
2. We might finally see be a major ActiveX security breach. The security weaknesses of Active-X controls have long been known. Yet they are still highly popular. And its about to get worse. I agree with the Yankee Group when they say, “Retire ActiveX — now.”
3. Product Life cycles will be shortened to three months. More organizations will continue to rely on “beta test” codes, that is not even “alpha test” quality. Internet time has killed the concept of software testing. With the current system, the policy is: make the promise, grab their money, then, promise fixes in future releases and since you have their money, they will wait. Running the beta will win over running a code that works.
4. Usability will still win over security. Most of the major application will still use defaults that do not promote security. Still, people will think they are secure due to false advertising. It took 25 years worth of UNIX security bugs to create a market perception that it is insecure. But it took only a year of Microsoft marketing to make make a market perception that NT is secure. And it will take 3 – 6 months worth of Microsoft marketing clout to create the notion that Vista and IE7 is secure.
5. The patent office will be even more hopelessly naive in keeping up with technology and patents will contradict or overlap huge areas of technology. Small companies won’t be able to afford to play.
6.Still no security model. More spaghetti software. And because of this everything layered above a system with no security model will remain insecure. And the market share and mind share will remain driven by who gets out there first. Whatever gets out there first is not likely to be good – just first. More to the point it is almost certainly going to have security left out.
7. The epidemic of cybercrime will grow even more. We might see the number of organizations falling victims to DDOSA (Distributed Denial of Service Attacks) extortions rising from approximately Six or Seven thousand up to Nine to Ten Thousand in the coming year. And many companies will continue to pay because it could cost them millions in lost revenue and public relations damage.
8. More Web Apps Vulnerabilities. Mercedes Benz, Fuji Film, Panasonic, US Navy, US Army, Greenpeace, Coldwell Banker, Microsoft, Google, Standford Electric, the National Oceanic & Atmospheric Administration, The SCO Group, the National Weather Service, Stanford University, SANS Institute, Symantec, Mcdonalds, Sandia National Laboratories, the U.S. Geological Survey, Bottom Line Technology, Association of Chief Police Officers, Midwest Express Airlines, the Space and Naval Warfare Systems Command, the Office of Secretary Defense, the Defense Logistics Agency, NASA Jet Propulsion Laboratories, Department of Education (Philippines), Department of Science and Technology (Philippines)…. what do all these have in common? Their web site were recently defaced. This year alone, there have been a staggering number of exploits in vulnerabilities of E-bay, Yahoo! Mail, Google’s Gmail, MySpace among others. We might even see the number case of identity theft going higher.
9. Patch management will get even worse.
The security company Scanit recently conducted a survey which tracked three web browsers (MSIE, Firefox, Opera) in 2004 and counted which days they were “known unsafe.” Their definition of “known unsafe”: a remotely exploitable security vulnerability had been publicly announced and no patch was yet available. Microsoft Internet Explorer, which is the most popular browser in use today and installed by default on most Windows-based computers, was 98% unsafe. Astonishingly, there were only 7 days in 2004 without an unpatched publicly disclosed security hole.
It doesn’t take a genius to know where patch management heading. Do the math, read the last statement if you have to. Why continue a battle we cannot win? If patching really works, why are there still bugs in IE?
10. An idiot with a compiler might be the one who will write the next killer virus or malware. Yet, as always, safety technology is often developed much later. Seatbelts for example were developed 120 years after the car was introduced. I just hope that the millions of dollars that the industry is losing today will be enough as a wake up call to the security community. Let us not forget that the security community’s mandate is to protect, once and for all. And let us not wait for the time when it is too late before we realize that the code is potentially life-valuable and life-risking.
So here summary scene number 1 for 2007: Unless we do something, we’re doomed. And summary scene number 2: On the bright side, the security professionals will continue to enjoy job security. I came up with these predictions by looking at the current trend. So, unless someone will turn the steering wheel 180, we’re pretty much doomed.
Now, for the blog tag!
I am listing five blogs, those that aren’t on Mike Murray’s list, for them to give their own prediction for 2007.
So, what about 2007, guys? What do you think?