How do you eliminate vulnerabilities by design? Isn’t keeping your software up-to-date the best one can do?
Keeping software up-to-date is a must, but it is reactive. It only eliminates vulnerabilities after they have been discovered, after patches are published — and after they are applied. As soon as a vulnerability is discovered, you’re in a race against the hackers (and the hackers are automated). Yes. Keep software up-to-date, but there is more that can be done.
Eliminating vulnerabilities by design is a proactive strategy. One example is a serverless design which replaces the traditional web host (running scripts and a database) with a CDN that serves static client applications that only connects to highly trusted and secured servers. Another example is the "Zero Trust" environment where every component is responsible for authenticating every request.
You can’t hack a server that isn’t there and you can’t hack an application that isn’t there either.
Moving servers and applications from more vulnerable locations to less vulnerable locations can eliminate an entire class of common attacks. Disabling key entry points on the server also eliminates entire classes of attacks because the server simply won’t run them.
If that’s the case, why doesn’t everyone do it?
The reasons have to do with cost and convenience. The open source software business model does not allow for much support, and although web hosting companies usually advertise 24x7 customer support, it doesn’t cover everything. There are restrictions, SLAs, trade-offs and fine print and all of these things are moving targets. There is very little online that isn’t moving.
This is the USS Alaska Ohio-class (SSBN 732). By using this image, I don’t mean to claim any military-grade qualifications. I chose this image because it represents ’stealth in an adversarial environment.’
The information security community considers the notion of "security by obscurity " a particularly inadequate defense. However, hackers are constantly collecting evidence in order to find these vulnerabities. I have never seen a website that was not being probed constantly. Whether we recognize it or not, the Internet is an adversarial environment.
One of my design goals is to yeild as little evidence as possible. Like a stealth bomber with the radar cross section of a sparrow, or this submarine’s navigation system with an extremely low signal-to-noise ratio, I build sites that yeild virtually no evidence to the legal, anonymous probes and as little information as possible to penetration tests, which are much more aggressive.