Utility Computing

When will computing really become a utility? I expect when the following happens:

- Cheap uncapped High speed wireless with operating systems that boot off the net are commonplace
- Standards for web applications emerge that allow custom web applications to be coded and hosted quickly, cheaply and securely via a tendering application that helps specify business requirements
- internet access is regulated and outages are financially penalised by the government (as per other utilities).

web 2.0

Geez there are some really interesting issues related to web 2.0.  Location aware social networking like Google's Latitude.  Corporate twitter in the cloud, aka yammer.  Cross Site Scripting, Cross Site Request Forgery and Direct Object Reference will be common security problems in these applications.

Hot spots

The following are hot spots for security researchers to focus on and infosec pros to worry about: Protocols that support internet infrastructure like DNS and BGP.
Web servers
Database listeners (if you own a web server, pivot off it and this is the next stop out of the DMZ, also all the data is in there :)
Protocols you just can't turn off or block if there is a worm, like SMB
Middleware and anything that transmits a password- if its not encypted its no good.
Crazy virtualisation near trust zone boundaries - misconfigure vmotion, SAN or load the wrong vm and you could have a database on the net

Cloud

The use of the word cloud makes me want to punch people. Have you got cloud? ARRRGH!! Well was chatting with a few people today at the AISA chapter meeting about cloud (which is really just a jumped up re-brand of ASP, SaaS etc.) and mentioning how a colleague had told me of an organisation renting time on the Amazon cloud to do genomics number crunching (a 2 core server cost them 10c an hour or so) The conversation moved to old skool SETI at home, uploading vm's to run in the cloud (Gbs in size ouch), Ruddnet etc. The thing that made me LMAO was when Darren mentioned that crims do cloud the best. You can rent time on a botnet to do _whatever_ you want and way cheaper than anyone else (as the crims don't even pay for the infrastructure). Botnets I dub thee STORMCLOUD COMPUTING!

Conficker was a bust

Hmm media and AV companies hyping a potential worm outbreak. So 2004. Doesnt anyone know that the game has changed? Researchers are all "no free bugs" or curtailed by EULAs, copyright legislation and MS bounties. Hence no proof of concept code lying around for idiots to turn into worms. Now the vulns are found by bad guys and used to send spam and steal credit card numbers.
Bad guys like to run under the radar. Wake up media and vendors.

think evil & build not break

It was a pleasure to hear andrew van der stock present last night at the Melbourne OWASP chapter meeting. His presentation covered a few home truths about application security that I share:
think evil - perform risk assessments and concentrate on what matters.
controls not vulnerabilities - write simple secure code with good key security controls (i.e. canonicalisation and known good input validation), don't bolt on code to address vulnerabilities.
build not break - don't be a blocker be an enabler. Instead of saying no and raising a problem without a solution provide an easier and more secure option for the developer.
ban insecure functions from development frameworks