Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 7 June, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Predicting 2015 – Flaws get bigger and badder

by The Gurus
January 9, 2015
in Opinions & Analysis
Share on FacebookShare on Twitter

Following on from our overall look at the common predictions sent to me for 2015 and a lively webcast on the subject from this week, I have decided that the second prediction trend I will look at more thoroughly is a continuing major topic from 2014.
 
Could anyone have predicted the impact that the likes of Heartbleed, Shellshock and Poodle would have upon security? With national global news coverage and enough scare stories to shock even the calmest IT administrator into action, they made for plenty of column inches and late nights.
 
As a result, it is not a surprise that it features heavily as a predicted trend for 2014. In fact, many established security firms and researchers predicted that things will get worse before there is any potential of things getting better.
 
For example, Kaspersky predicted that there will be more “internet-bleeding stories” of dangerous vulnerabilities appearing in old code which exposes the internet infrastructure to menacing attacks, while Sophos predicted that there will be “more major flaws in widely-used software that had escaped notice by the security industry over the past 15 years”.
 
Jesse Rothstein, CEO of ExtraHop, said that Heartbleed and Shellshock are just the beginning, as their scope and scale, as well as their proximity to each other, were a wake-up call for many IT organisations. “In my nearly 20 years of experience working in enterprise software and network engineering, these are two of the most serious threats I’ve seen. I’d go so far as to say that they are among the top five most significant zero-day events of all time,” he said.
 
So is the problem entirely in old code? Both Blue Coat Systems and McAfee predicted that there will be further exploitation of vulnerabilities, with the former predicting that a single defect will cause failures to ripple through a system. “Vulnerability seekers have had their first taste of this, and there’s no going back now,” Blue Coat said.
 
McAfee Labs predicted that exploitation techniques such as stack pivoting, return and jump-oriented programming and a deeper understanding of 64-bit software will continue to drive the growth in the number of newly discovered vulnerabilities, as will the volume of malware that exploits those newly discovered vulnerabilities.
 
So it is not just in the legacy code, or the new technology as it is built with old code bases. Candid Wüeest, threat researcher at Symantec Security Response, believed that 2015 will bring new vulnerabilities discovered in open-source databases and web-service platforms, and with that we’ll see hackers exploit these vulnerabilities with impunity.
 
He said: “As with Heartbleed and Shellshock, these vulnerabilities represent a potentially a rich, new area for attackers, the greatest risk continues to come from vulnerabilities that are known, but organisations and consumers alike don’t apply the corrective patches.”
 
I am sure that flaws will continue to be reported and disclosed, much like they were this week with Moonpig. However as we found out this morning, we will be hearing a lot less from Microsoft with regard to its advance notification system being suspended for the commoners.
 
HD Moore, chief research officer at Rapid7, predicted that we w
ill see tons of client-side issues within Microsoft though, even though the “big bugs” of 2014 were not in Microsoft products for once.
 
“The issues that keep ‘breaking the internet’ are endemic flaws in open source software that really should be better by now,” he said. “Plan for another year in which vulnerabilities in open source libraries and system components result in major disruption and possible data loss.”
 
Of course we will see more bugs, as Veracode’s Chris Eng told me last year: “most software is not written entirely from scratch; only ten per cent of code is, and 90 per cent comes from other libraries and products”. In other words, recycled code with duplicated flaws. Maybe a solution is better code analysis, or for the code writers to start from scratch.

FacebookTweetLinkedIn
Tags: codeFlawVulnerabilityZero-day
ShareTweet
Previous Post

Moonpig incident shows "poor state" of API security

Next Post

What can site admins learn from Bashbug vulnerability?

Recent News

Standard post, logos of brands, headshot.

J Brand: The Challenges of Putting Mental Health First in an Unfamiliar Industry

June 6, 2023
iPad with Anxiety written on it in capitals.

Half of UK Employees Suffer From “Sunday Scaries”

June 6, 2023
UK Organisations lack clear path to achieve threat intelligence

UK Organisations lack clear path to achieve threat intelligence

June 6, 2023
A Roadmap for Becoming a Penetration Tester in 2023

A Roadmap for Becoming a Penetration Tester in 2023

May 31, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information