Commentary: Software patches are rotten to the core

There's a little bit of the proverbial chicken and egg to this statement. After all, you can't patch a flaw if you don't know about it, and if you do know about it, there's a good chance that malicious users do, too.

Just before this year's Black Hat, I spoke with Randy Sandone, CEO of Argus Systems Group, a computer security company based in Savoy, Ill. He recently testified before Congress regarding national security. While he welcomed the interest of Congress, he also cautioned: "If the government discusses its vulnerabilities, then our adversaries understand that, too. They can't touch us militarily, but they can attack our infrastructure." The problem, according to Sandone, is that we've gotten comfortable with patches and perimeter defenses without really attacking the core problem.

Firewalls provide pretty good protection, he said. However, companies and some government systems now open holes in their firewalls to allow employees or service partners remote access to their internal network. Services such as VPNs, wireless, P2P, and SOAP make it hard for system operators to identify who is on the "inside" of a given system and who might be attacking them from the outside.

The next layer of traditional protection is an Intrusion Detection System (IDS), which Sandone described as "security through vigilance" because it requires someone to monitor it around the clock. With today's large bandwidths, how can one individual be expected to spot the 1 percent of non-legitimate activity among the 99 percent legit? IDS "relies on a predetermined understanding of what is an attack, so one can't always see the new attacks," according to Sandone.

What's needed then is something closer to the core, where the data actually lives. In 1998, the National Security Agency issued a report called The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, which cautioned that "a secure operating system is an important and necessary piece to the total system security puzzle, but it is not the only piece. A highly secure operating system would be insufficient without application-specific security built upon it."

Sandone echoed the report by saying, "You can't get on top of all the patches, all the bugs--you just can't. That's not security." That's why he's arguing for a paradigm shift in the security industry.

Sandone's company, Argus Systems Group, makes a series of products called PitBull. Rather than putting a shell around the whole system, PitBull locks down an operating system and its attendant applications so a malicious user can't gain control over it. "We assume applications have bugs--that's a given," said Sandone. "What we do is put the individual applications in an airtight compartment. Even if there's a bug, that bug can't get exploited for a (system-wide) attack."

All this raises several questions: Why is it so hard for software vendors to establish and adhere to voluntary standards? Why are there so many vulnerabilities in the most popular software programs when there should be less? And, lastly, wouldn't it be great if operating systems and software were guaranteed to work the first time around, so that system administrators didn't have to spend so much time patching inherently flawed systems?

Sandone concluded our conversation by issuing a challenge to the security industry: "It's high time we start paying attention to the infrastructure at the core, and not cobble security from the outside." Frankly, I couldn't agree more.