Originally posted on blog.mozilla.org/ladamski on January 22, 2010
Attackers will become increasingly more efficient at discovering & exploiting vulnerabilities, even as application developers continue to try to reduce the attack surface. This has several implications:
- Attackers will depend less on random manual testing to find vulnerabilities. Instead, attackers will find new and lazy yet creative ways of discovering vulnerabilities such as mining public crash reports, bug repos and other public sources of information for clues to potential issues, spearphishing of developers, corporations and other individuals with sensitive security information (to steal security bug information or gain/elevate access privileges to source code) and utilizing off the shelf security software to analyze potential targets. Call it laziness; I call it efficiency.
- Attackers will be come increasingly more efficient at deploying exploits, putting serious pressure on software vendors to compress release and update cycles. You are already seeing the acceptable window of updates shrinking from 30 days or more down to 24 hours, but that will come under severe pressure. By 2020 I expect acceptable update windows will be measured in an hour or two, and likely even minutes for high profile target applications.
- Focus away from bug counting as a useful metric, towards actual exposure risk. Something like number of open security bugs multiplied by average window of time from bug discovery to when the fix has been deployed to 80% of the user base (just a hypothetical example, the real metrics will likely be more complicated). This would require vendors to agree on common metrics and severity ratings, and become far more transparent and willing to share more information than they have been thus far, so perhaps its not a particularly realistic prediction. 🙂
- Software companies will hopefully become more effective at putting security into context with other business objectives. While this seems like an obvious thing to do, too many companies treat security as practically an aspect of PR, rather than serious engineering work that requires tradeoffs in other areas of product development.
- Valuable information will continue migrating up the stack; so will valuable exploits. Much has been made of process isolation / sandboxing technologies, and they do help. However, increasingly as more critical information is stored on the web than local systems, exploits that are executed with just “content” privileges (i.e. the context they run within has access to network and credentials/cookies but not filesystems or other critical OS resources) will be considered “good enough.” Expect to see more investment in exploit frameworks that focus on weaponizing information-stealing exploits that run within limited privilege processes.
- Fuzzing will becoming an increasingly commoditized technology & skill-set, so software vendors should not become complacent and assume technical superiority.
- Software companies that rely on “checklist security” processes and talking heads rather than deep technical security competence will suffer terribly as the sophistication of attackers ramps up, and their internal processes and teams cannot keep pace.
- Deployment of exploits will become sophisticated to the point attackers that will have a quiver of exploits that they will selectively deploy against specific application versions, only serving them against high-value targets. This means software vendors need to fix issues quickly, as they cannot afford to sit on bugs they know about as the first indication that they have been externally discovered will likely be when they are used in a high-profile, targeted attack.
- This will increase the value of zero day exploits, as they provide first-mover advantage against sophisticated and well-defended targets. These exploits will rarely be wasted on the more common, “shotgun” exploit economy out there that shoots at anything that moves (for purposes of building botnets for fun and profit, stealing email and WoW accounts, individual bank accounts, etc). That latter “exploit mass market” will focus increasingly on high volume exploitation of known issues in applications and platforms with slow update uptake rates, while niche players will focus on zero days for international and corporate espionage.
The above pontifications are purely my own opinions and are likely neither representative of nor shared by others.