Safe and Sound (When No One is Paying Attention)
The worlds of fantasy and security have collided twice recently, once in practice and the other in principle.
In practice, one vendor, Oracle, took a hard stance on the way some of its software testing is done. The backlash ranged from tough to comical. Notably, there was the hilarious strain of “fan fic” that popped up around decisions announced by Oracle, particularly with its decisions on reverse engineering. No software vendor is immune from scrutiny, and the bigger vendors like Oracle tend to attract more than their fair share.
What struck me about the whole situation was quite redeeming, actually: the knowledge that investments in troubleshooting and pen testing work to benefit everyone. I trust that Oracle will work toward a stronger security posture moving forward. It’s in their best business interest (and maybe they’ll re-write a few chapters of that fan fiction along the way). Overall, it’s great to know that today’s hyper-security sensitive day and age includes plenty of attention on keeping software and data safe ahead of hacks, zero days and data leaks.
More under the radar was a discussion point I heard while at the Black Hat information security event in Las Vegas. In total, the sessions were hit or miss. Like many, I was captivated by the wealth of tools and trickery exposed in the NSA “Playset.” A separate rundown of opportunities and missteps in Windows 10 was very timely. On the disappointing side were security aspects around big data. In one session, it was reported that there have been only four reported and fixed vulnerabilities in the big data sandbox, Hadoop. So, four vulnerabilities in a few years … meaning Hadoop is nearly perfect, right?
If you’re one of the still-emerging businesses playing with big data, there’s a chance you’re on the cusp of finding brilliant new insights on products and customers. However, such a small number of security vulnerabilities found in this one big data operator speaks more to me about the low rate of big data use and testing. While traditional relational database management systems have decades of security attachments, patches and operations, today’s flexible and cool big data toolsets do not.
As it’s clear that more of the world is seeking better returns from pools of information, it stands to reason that more companies will dump sensitive loads of raw information into big data analytics. With sensitive, identifiable data comes all the risks we’ve come to regularly associate with other software, hardware, infrastructure and devices. Latching onto big data may be great from the perspective of potential ROI, but it shouldn’t come at the cost of skipping the security side of wondrous data tools like Hadoop. Perhaps it’s time for some big data security fan fiction?