Thursday, February 22, 2007

What Did I Tell You? Google looking like a nexus of insecurity

I've been saying this for several months now. I highlighted it in my keynote at the Enterprise Security Asia conference. Google could be the next big thing in security, as in "insecurity." The recently announced hole, now patched, that permitted cross-site scripting attacks via Google Desktop, is only one aspect of "the Google factor." The concern is that Google has many of the characteristics of a "nexus of insecurity." Here are some of those characteristics:
  • New and exciting
  • Popular and widely used
  • Cross-platform
  • Network-based
  • Rapidly growing
  • Easy to install
  • Becoming a standard
  • Processing sensitive data
A good example from the past is Microsoft Word. There was a time when this application was not a major source of security problems. Then came the first Word macro, in 1995, and everyone suddenly realized that the Word doc format was a de facto, cross-platform standard , one in which companies stored highly sensitive information (often the best nuggets of corporate data are distilled into memos and letters and reports written in Word). It also became clear that Word documents were traveling from network to network and across corporate boundaries thanks to email. Then it became clear that Excel spreadsheets were also an issue, then PowerPoint, and so on.

Now, let me make it clear that I have no knowledge of Google's security strategy or how it schools its programmers in secure coding, or how it tests its code before putting it into production. Google may be doing a great job in all these areas. I would love to find out that they are. All I am saying is that, historically, software possessing the characteristics listed above has tended to become a source of security problems.

No comments: