Sometimes you come across a concept, and it sticks with you. I’ve read the Daily Dave list for years (mailing lists are kind of like Snap, but for email, kids!) and one post from Dave Aitel in particular stands out as truly insightful. It’s worth reading the post in its entirety, but Dave talks about the platform risk as a factor that fundamentally determines your exposure, more so than any other factor:
“Immunity has already gone through our data, like every other consulting company, and found that the process of the SDL is 10 times less of an indicator of future security than the initial choice of platform to build a product on.”
To translate what Dave is saying – the original choice of your development platform is what determines your long-term risk. You can and should implement security programs, such as Software Development Lifecycle, but all of them will be lower impact than your platform choice and incremental in nature. Knowledge and awareness that your platform is rotting is important, because this should calibrate how seriously you consider appropriate counter measures.
This notion of platform risk may come across as nihilistic, but it’s worth embracing this concept because we have examples of major improvements once you truly grasp where you stand. If you’ve been doing security for a while, no doubt you’ll remember Dan Geer’s well-articulated position all the way back in 2004 that Microsoft is a monoculture, and everything we know about genetics tells us monocultures don’t survive long term. Dan Geer lost his job over his monoculture warning, but fast forward to 2017 and Microsoft is no longer a smoldering crater of insecurity, as it was once was. It’s not a coincidence that WannaCry, most prominent recent ransomware to make the news, really only targets versions of Microsoft software no one should be using at this point. If you use AWS and Azure, chances are WannaCry was a non-issue.
Which brings us to the main point we study at Alert Logic – where are the biggest risks in your infrastructure as you adopt cloud services? There is a strong argument that this concept is very relevant for cloud workloads, but in order to fully appreciate the degree of this risk you have to look not only at platforms, but entire application stack families – and from everything we’re seeing the LAMP stack is leading the way as the biggest source of exposures in cloud environments.