From Microsoft to Adobe insecurity: One man's journey
Marc Maiffret spent the earlier part of his career shedding light on major Microsoft vulnerabilities. In his new gig, names have changed but not the threats.
By Bill Brenner , Senior Editor
April 28, 2010 — CSO —
As co-founder and CTO of eEye Digital Security, Marc Maiffret spent much of his time immersed in the world of Microsoft insecurity. When there was a large zero-day vulnerability to be attacked, eEye was usually among the first to find it.
He left that job three years ago. In that time, Microsoft has gained newfound respect for its security efforts while other popular software vendors are fingered for making the same mistakes. In an interview with CSO Tuesday, two names came to mind for Maiffret, now chief security architect at FireEye: Adobe, which faces growing criticism for widely exploited flaws in its software, and Apple, which is increasingly the focus of malware writers even though it hasn't seen the level of attacks Microsoft and Adobe have.
What's your take on the security vendor community today?
Maiffret: When you look at the industry and the mainstay players, they'll even tell you that their [malware] signature technology doesn't work anymore but that hey, "we have this great behavior-anomaly technology." What they don't tell you, and what the IT community can see, is that with those technologies you are either at one end of the spectrum or the other. If you tune the technology up you may catch a lot of things, but that includes a lot of false positives. At the other end, the admins tune it down to reduce the false positives but then they end up missing stuff. At the end of the day, you really can't have either of these scenarios, but everyone knows we can't have a utopia, either. The reality is that we're at the point where it's not even the sophisticated attacks that cause all the problems. We're seeing it with every-day spyware. It's very hard to tell the two apart from a threat perspective. In the process, we've seen a massive failure of the vendor community to grasp these things.
CSO: We used to talk a lot about Microsoft's security problems. How are they doing now?
I think a lot of people are surprised that I've become one of the big advocates of saying Microsoft is getting a lot of things right. They're not perfect, but their approach to secure code has really come along. A few years ago I gave a talk called "More than a Microsoft World" where I tried to wake people to the fact that they weren't always going to be worrying about just Microsoft and Patch Tuesday in the years to come, but also Adobe, Apple, and so on. There are so many third-party applications on the desktop to worry about now.
In-depth information on tools and strategies for writing secure code, finding vulnerabilities, and other critical application security issues
10 steps to secure browsing
Holistic patch management, browser settings, filtering, and other tactics
Vulnerability management: The basics
5 key tenets for making the most of vulnerability management efforts
Software security for developers
Building security in, from the requirements phase through deployment
Software security for app dev managers
Building and managing a software security program that pays off
How to use source code analysis tools
Database security: At rest, not at risk
How to compare patch management software
Ranum: Does disclosure work?
- Security Analytics Video
- Enterprise File Sharing: All You Need to Know
- Forrester Research and EMC on Continuous Availability
- Big Ideas; Big Tech-Continuous Availability for VMware
- Reduce Costs, Maximize Performance and Ensure High Availability of your Business Critical Applications
- Software Asset Management - Program Considerations to Help Reduce Risk and Lower Costs
- Mandiant's APT1: Revisited
The Mandiant APT1 report made our industry stronger by encouraging -- if not forcing -- information sharing. By Nick Selby - Attacks from China: A survival guide
- #FFSec: Infosec pros who bring value to Twitter
More Salted Hash with Bill Brenner
