There's no sense in making predictions in the security space. There will be more creative attacks and vulnerabilities will multiply at a rapid clip. Meanwhile, unsuspecting (or just plain stupid) users will enable hackers. All of those items are a given. But we can outline a few items that sure would be nice to have.
Here's my wish list for 2008:
A new QuickTime. Let's face it QuickTime is a sieve when it comes to security. Meanwhile, QuickTime is everywhere. Add it up and Apple has two choices: Keep patching QuickTime in an effort to keep up with flaws. Or rebuild QuickTime. Instead of patching QuickTime repeatedly Apple should launch a do-over. New features? Who cares? Just make QuickTime secure.
Take Web 2.0 security seriously. Shared APIs are great. Social networking features are wonderful. There's a lot to like about Web 2.0. But as these technologies make their way to the enterprise these composite Web apps will have to become more secure. IBM is pondering the policy implications for so-called Enterprise 2.0. You should too.
End the monoculture. Every IT shop out there should incorporate one word into its strategy: Diversify. In an effort to cut costs, find one throat to choke and simplify infrastructure technology managers are using fewer vendors (Microsoft, Oracle, SAP). What happens if this core software is hacked? The problem with monoculture is most evident with Windows. Diversify your operating systems. Sprinkle in Linux and Apple OS X along with Windows. Are the maintenance requirements more complicated? Possibly. But there are security benefits to be had.
Real penalties for data breaches. 2007 was the year of the data breach and TJX was among the headliners. TJX took a nice sized financial hit, but Wall Street largely gave the company a pass. Same store sales also held up so it's not like customers fled the retailer. This scenario plays out repeatedly. The current state of affairs has to change. I hate to say it but regulation may be the answer because executives just don't take protecting consumer data seriously--unless there's a breach of course. The costs associated with data breaches are on the rise, but by not enough to change behavior.
PC makers focus on security vulnerabilities in software updates and crapware. HP has been taking its lumps over flaws in its Software Update feature embedded on laptops. Memo to Dell: Get ready, you're next. Hackers will increasingly target hardware makers, which bundle in more and more software to automate customer support and gain slotting fees from software companies.