Tuesday, February 20, 2007

The Last Great Security Crisis? Sadly Not

You can't read all the security pundits all the time, but I usually take time to read Larry Seltzer at eWeek. So I am not knocking Larry when I take issue with his recent column titled the Last Great Security Crisis. Indeed, it is well worth reading and sheds light in an area that needs it: application security.

Larry is not talking about web apps or Software as a Service but Microsoft Office apps, arguably the biggest single gateway to networked computers and sensitive data on the planet. Whuh? That's a pretty sweeping claim. But think about it. Just about every organization's really important data is currently condensed into Word documents, Excel spreadsheets, and Powerpoint slides.

Want to know what is going on in a company? Forget mining complex databases, look for the highlights, which are more often than not found in some kind of doc/xls/ppt file, starting with executive summaries of everything from new product development to sales projections to cashflow analysis. Combine that with the seemingly endless stream of holes and you have the ingredients for a permanent security headache (as opposed to the plain human headache you get from trying to picture a stream of holes).

How many organizations eventually get to experience that headache will depend on a number of factors, from the diversification of applications and formats (Mac, pdf, open document, xml, etc.), to the actions of the world's bad actors. The latter may focus more on desktop application vulnerabilities if Vista does deliver an improvement in overall enterprise security. It's that old displacement of risk black magic. As long as bad actors are plentiful and well-motivated (actually it seems like that should be badly-motivated, but you know what I mean) the overall threat level will not go down, it will just keep seeking the low-hanging fruit and the easy wins, which will be losses for legitimate users.

No comments: