More bugs in security products
The recently released bug in Altiris Notification Server allowing privilege escalation echo’s a sentiments I’ve held for a long time:
- Security products, in general, are no less vulnerable to attack than your average piece of software. (Note that this product had a similar vulnerability just a few months previously…)
- Adding security products increases your install base.
- Increasing your install base increases your attack surface.
I believe big strides toward a more secure, robust computing environment can be achieved through:
- Allowing the least required access to the minimum required services
- Reducing the install base to support least access to least services
If you can’t get those simple things right, don’t bother adding security products on top.
Every additional service (software, protocol, etc) and each additional role compounds your attack surface.
Get down to basics.
Bill