There are more problems than we currently have solutions for, and the solutions that are being presented are ill-conceived, poorly though-out, and don't actually solve the whole problem thus perpetuating the problem in the long run. Recently American Express learned that if your website has cross-site scripting (XSS) issues an effort must be made to sanitize all input rather than mitigating a single attack vector someone has demonstrated to you. This sort of problem is pervasive, unfortunately and extends out into vendors as well (more on that in a minute).
For some reason, few people are interested in solving actual problems and are instead focused on either selling products or simply solving a point-in-time singularity such as American Express did. I'm not picking on AmEx specifically but their example simply underscores my point. Why is this trend ticking upward faster than previously?
In an analysis of the issue, we can can blame a failing economic climate and therefore falling budgets, or short-sighted CIOs, or worse, security "professionals" with little vision. The fact is all of those factors have been around since long before this problem became so pervasive, and therefore we have to look to alternative reasons for such a collapse in strategic judgement. Nae, I think the problem revolves around the need to stay relevant. Allow me to explain.
Haven't you worked with (or for) someone who refuses to automate a process or teach others simply because he or she feels like they will be made obsolete? You know how flat-out stupid that sounds because it is those people who in the end create an unpleasant end for themselves, instead drowning in their self-created hell. I think the security industry is headed in much the same direction...
I keep reading Giorgio's posts on the Internet Explorer 8 BETA1 release and "ClickJacking" protections offered therein (here and here), yes he's the guy who does NoScript, and it's all of the sudden become clear to me. Once again, Microsoft has solved an industry-wide problem by perpetuating their own proprietary technologies and then marketing them as ground-breaking. NoScript addresses the UI Redress attack (more commonly known as ClickJacking), but since IE is so proprietary and closed... they have to re-invent the wheel to self-serve. This perpetuates the need for Microsoft to "save the masses"... since most people that don't know better are hooked on Microsoft's IE technology like crack.
There is an excellent paragraph I think everyone should read:
This IE8 anti-ClickJacking feature is by far not the only incident of self-serving short-sightedness. Why is it that every time we have a very serious issue (ClickJacking, after all, is not a hack but an abuse of legal, spec-defined HTML functionality) everyone jumps to throw their "quick solution" to the problem, then we consider it solved, and we move on.... why?
It's like a bad joke... "[Patient] Doctor, my arm hurts when I bend it like this. [Doctor] Well, then don't bend it that way, problem solved!" DNS was fundamentally broken back in the 90's... but it wasn't until an earth-shattering PR move that every (or almost every) vendor issued a patch... a short-sighted solution. Is DNS still for the most part fundamentally flawed? Yea-ha. Are we going to wait until the next major hack to solve that singularity? Yea-ha.
Are the folks who make the security world go-round just afraid that if we write fundamentally more secure code, solve the root problems, and address security issues at the grass-roots level we'll all somehow become unemployed? As we keep proving, security issues will never go away, there is no end-game in security, as I've always said. Why not, rather than continuing to pile-on the proprietary crapola, join the party and solve the UI redress issue in a cross-platform/browser way? Why not, rather than patching browsers, actually address the problem inside the HTML standards?
I don't get it. Are we doomed to solving singularities and creating products to be point solutions? Or am I simply too philosophical to realize that this is a self-perpetuating issue which won't ever actually go away?