A bird's eye view

In the recently held Hack-in-the-Box Security Conference 2008, world-renowned security expert, Bruce Schneier, CTO and founder of BT Counterpane spoke at length on the need to match reality to feeling to enable true security.

  • E-Mail
By  Sathya Ashok Published  May 18, 2008

Grossman presented statistics and numbers on the quantity of code being developed and the average number of vulnerabilities that can be present in this code to illustrate the difficulty of finding and addressing the multitude of security weaknesses.

"If all new code is inspected to find one undiscovered vulnerability every sixty seconds, we would never find them all. If this is done every ten seconds it would take about three years to find all the new vulnerabilities for just this year," said Grossman.

He used the same technique of quoting numbers and research papers to extend the thought to web-applications and stress that they are equally unsecure and dangerous.

"Experts say around 90% of externally accessible applications are web-enabled, and upto two-thirds of these have exploitable vulnerabilities," he added.

While the best way to protect the individual and the corporation might be to switch off the internet, Grossman states that the middle path would be to incorporate best practices and also remain on the look out for possible attack vectors all the time.

This would include looking for SSL certification when you access and use content from a site on the internet.

"From where I sit most of us are mired down in our day-to-day jobs and don't have the time or cause to look up and consider where we are headed. These days it seems we have a lot more experts and less expertise. More products and less coverage. More best practices and less security. More news and less information. This type of environment I think is why hacks happen every minute of every hour of every day. And it is my opinion that we need to take a second look at what we know, reconsider what we think we know, and possibly come to a new set of assumptions," added Grossman.

Other presenters at the conference included Christopher Rouland, CTO of ISS, now part of IBM, who spoke about the latest advances in intrusion preventiona and detection.

Daniel Ingevaldson, manager of technology strategy, ISS, global technoloy services at IBM enterprise issues in a session on virtualisation security.

Referred to as the ‘The Black Hat of the Middle East,' the two-day conference, preceded by two days of training sessions, provided a platform for developers and programmers of the Middle East to meet and interact with some of the foremost names in the security industry globally.

The event played host to several key figures in the hacking and security community, flown in for the first time to the UAE, to celebrate the abilities of hackers and to enunciate the potential weaknesses of enterprise security systems.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code