17
Jan

2013 Website Security Prediction - No Apocalypse

As we enter 2013, it is customary to make predictions about the upcoming year. However, a New Year’s prediction is never a happy thing when security professionals are involved. The future is always dark, ominous and gloomy.

This year, rather than predicting a gloomy future, I want to wish away some silly things in the world of the present. So, here goes:

1. On Premise DDoS Prevention Appliances / Software

On premise DDoS appliances should go gently away into the night. They had a good run, back in the good old days of sub gigabit attacks. But today, with 50Gb+ network attacks, what use are they? Not much, even without even going into the question of what it takes to stop application layer DDoS attacks.

2. Dramatic SSL Certificate Alerts

Yes, thank you for the warning dear browser, but if it’s all the same to you I think I’m going to proceed anyway. And no, I don’t really understand the risks. How can I? Whenever my browser presents these ominous warnings, they are usually false positives - like expired certificates or a variant of the domain… In fact, I’ve yet to encounter a real attack with invalid/expired certificate. Phishing sites are much more careful than that, and they will have valid shiny certificates no one will prompt you about. So spare me the drama, and please just let me in. If you want to warn me, warn me about slow sites...

3. Gartner’s Magic Quadrant for Application Delivery Controllers

Perhaps the classifications in this report made sense 5 years ago, but they make absolutely no sense today. Up until 2007, Akamai was listed as an Application Delivery Controller, which was just fine by me. But then Gartner decided to limit the ADC report to “on premise” appliances and software only. Why? What’s so special about on-premise solutions, when a CDN shares the same core functionality as an ADC? Cloud services are where things are happening now. Sorry, but this report doesn't make sense any more.

4. Open Source Web Application Firewall Rule Set

Ok, not really. An open source Web Application Firewall is a good idea. An Open Source firewall rule set is silly. Why give hackers not just the information on how to circumvent the protection (there will never 100% protection - ever), but also full access to the means for testing and improving their techniques? To paraphrase James T. Kirk: The security game is not chess. It’s poker. You don’t win it with an open hand.

chess-not-poker

5. Doom and Gloom Predictions

2013 is going to be a record year for hacking, and security threats in general. But what about 2014 - worse. 2015? - worse yet. By that token, if a security expert prognosticates 10 years into the future, you’d get something like Earth Abides.

As far as I’m concerned, security experts should start thinking happy thoughts. In 2013, the percentage of hackers out of the overall population will remain roughly the same, though both will grow. The security industry will become even more organized, sophisticated, and will - using the cloud and other cutting edge technology - continue to deliver services and products that protect the general population.

Stay Safe Gur Shatz, Incapsula CEO and Co-Founder