hi andy, If you read the article again, I think you'll find that the solutions offered by both Invincea and Dasient work regardless of whether the malware is installed through broken software or through social engineering. Dasient protects the server side of the APT problem (especially when it comes to bad ads), and Invincea wraps the browser (or the Adobe product) in an instrumented and transparent VM.
I agree that clueless users who click on whatever pops up lead to many infections even when software is is reasonable shape, but I don't see that as a reason not to build better software. Presumably, you guys at paypal agree. Right? gem On 3/22/11 7:57 PM, "Andy Steingruebl" <stein...@gmail.com> wrote: >On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw <g...@cigital.com> wrote: >> hi sc-l, >> >> The tie between malware (think zeus and stuxnet) and broken software of >>the sort we work hard on fixing is difficult for some parts of the >>market to fathom. I think it's simple: software riddled with bugs and >>flaws leads directly to the malware problem. No, you don't use static >>analysis to "find malware" as the AT&T guys sometimes thinkÅ you use it >>to find the kinds of bugs that malware exploits to get a toehold on >>target servers. One level removed, but a clear causal effect. > >Gary, > >Interestingly, your article only covers malware that gets installed by >exploiting a technical vulnerability, not malware that gets installed >by exploiting a human vulnerability (social engineering). I've been >looking around and haven't found much data on infection rates, >percentages, success rates, etc. but "voluntarily" installed malware >is a significant and growing concern, and it requires an entirely >different approach than that required for malware that exploits a >technical vuln. > >Thoughts? > >- Andy _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
