Risk Management

The famous proverb “Knowledge is power” is attributed (probably wrongly) to Sir Francis Bacon, one of the founding fathers of the modern science. Usually referring to the contribution of science to the progress in human well-being in modern times, it is often criticized on the grounds that it takes action and not just knowledge to achieve progress.

The world of information security presents a similar dilemma. In my previous post, “black cat, white cat”, I divided the world of security controls into black listing tools for detecting and preventing attacks and whitelisting tools enforcing policies. However this is not the only categorization one can make of security tools: an orthogonal categorization would be between passive controls, the “knowledge”, and active controls, the “action”. Is knowledge power? Are passive controls which provide us with information but do not take an action effective?

While we all chant a potential breach impact in a well-rehearsed manner, it is doubtful that we, as individuals or as a society, evaluate breach impact to its full extent. Why do we downplay breach impact and allow so many computers and even web servers to be infected?

Amichai Shulman, Imperva's CTO presented in Source Barcelona today an innovative solution for detecting men-in-the-browser attacks by the web server itself. The interesting aspect of the solution is that it relies on logic that goes unencrypted through the attacker code. As such, there is no way to prevent the attacker from interfering and therefore bypassing detection.

The web hacking incidents database provides a tool for assessing the risk in insecure web applications. Such risk analysis is important in order to make sure that resources are spent wisely when fixing or protecting web applications. The attached presentation discusses risk analysis for security of web applications, and addresses the role WHID can have in such an analysis.

The outline of the presentation is:

If you took a look at the statistics page, you probably saw that in 2005 the number of reported incidents grew rapidly. This is probably at least partially because we started collecting information in 2005. But I believe that there is an additional reason: many more people are concerned with web application security and are inspecting online services searching for vulnerabilities.