<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>COM SECURITY TALK from INFILTRATE 2017:
<a class="moz-txt-link-freetext" href="https://vimeo.com/214856542">https://vimeo.com/214856542</a></p>
<p>Ok, so I have a concept that I've tried to explain a bunch of
times and failed every time. And it's how not just codebases
decompose, but also whole platforms. And when that platform
cracks, everything built on it has to be replaced from scratch.
Immunity has already gone through our data, like every other
consulting company, and found that the process of the SDL is 10
times less of an indicator of future security than the initial
choice of platform to build a product on. <br>
</p>
<p>It's easier for people to understand the continual chain of
vulnerabilities as these discrete events. They look at the CyberUL
work and think they can assess software risk. But platform risk is
harder.<br>
</p>
<p>Some signs of cracking are:</p>
<ul>
<li>New bugclasses start to be found on a regular basis</li>
<li>Vulnerability criticality regularly is "catastrophic" as
bugclasses that used to be of low risk are now known to be of
super high risk when combined together<br>
</li>
<li>Remediations become much more difficult than "simply patch"
and often bugs are marked "won't fix"</li>
<li>Even knowing if you are vulnerable is sometimes too much work
even for experts</li>
<li>Mitigations at first seem useful but then demonstrate that
they do more harm than good</li>
</ul>
<p>From an attacker's standpoint, being able to smell a broken
platform is like knowing where a dead whale is before anyone else
- there is about to be a feeding frenzy. Whole careers will live
and die like brittle stars upon the bloated decomposing underwater
corpses of Java and .Net. Microsoft Windows is the same thing. I
want to point out that two years ago when Microsoft Research gave
their talk at INFILTRATE, initially nobody took any notice. But
some of us forced research on it, because we knew that it was
about the cracking of an entire platform - probably the most
important platform in the world, Active Directory. <br>
</p>
<p>From a defensive standpoint, what I see is people are in denial
this process even exists. They think patching works. They want to
believe. <br>
</p>
<p>From an architectural standpoint, Windows is only two things: COM
and Win32api. Forshaw has broken both of them. And not in ways
that can be fixed. What does that mean? Anyways, watch the video.
:)<br>
</p>
<p>-dave</p>
<p><br>
</p>
<p><br>
</p>
<br>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
</body>
</html>