On the subject of security, this just came in from eWeek's Security Center Editor, Larry Seltzer: What Scares Me About Security in 2007.
...the real action in vulnerabilities and exploits is on the server, where more than 70 percent of vulnerabilities are from Web apps, PHP, Perl and similar systems. Many of the sites with these vulnerabilities are front ends for important databases. With such potential you can expect to see Web app worms going nuts this year, causing massive damage. And since PHP has suffered them before and so much research is focused on it, expect the attacks to center on those servers. If you run a PHP server, better keep up with those updates. It's going to be a harder year for security in 2007 because it will be harder to explain problems, and perhaps harder to write tools to detect them. But part of this is because we've already made things hard for the bad guys.
This illustrates the problem I have with security experts: they're focused on the technical problems. As my previous post indicated, the real problems aren't technical, they're administrative. Technical problems are more addressable, hence get more attention. It's like searching under the streetlight for the key you dropped on the dark corner nearby, because the light is so much better under the streetlight.
Comments