Feeds

Apple security is 'struggling,' researcher says

Laments lack of 'formal security program'

Using blade systems to cut costs and sharpen efficiencies

A well-known security consultant says Apple is struggling to effectively protect its users against malware and other online threats and suggests executives improve by adopting a secure development lifecycle to design its growing roster of products.

"Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases," writes Rich Mogull, founder of security firm Securosis and a self-described owner of seven Macs. "To address this lack, Apple should integrate secure software development into all internal development efforts."

Microsoft was among the first companies to integrate an SDL into its internal development routine. Under the program, products are built from the ground up with security in mind, so that poorly written sections of older code are replaced with code that can better withstand attack. It also subjects programs to a variety of simulated attacks. Adobe Systems recently beefed up the SDL program for Reader and Acrobat following criticism about the security of those two programs.

Mogull's suggestion was one of five he made recently to ensure company is doing everything it should to safeguard its customers.

"It's clear that that Apple considers security important, but that the company also struggles to execute effectively when faced with security challenges," he writes in a recent article on Mac news website Tidbits. He goes on to fault the company for its ongoing failure to patch a gaping security hole in Mac versions of Java.

The suggestions came as Apple on Monday announced Safari 4.0, a release that fixes more than 50 vulnerabilities in the browser. Protection against clickjacking attacks, denial-of-service flaws and bugs that allow for remote code execution were among the fare.

Another suggestion from Mogull is that Apple appoint and empower a high-ranking executive to oversee security in all Apple products. The CSO, or chief security officer, would serve as the public face for Apple security as well as the internal boss who coordinates the company's response to security incidents and development of new products that are safe.

"None of this will work if the CSO is merely a figurehead, and this must be an executive management position with the budget, staff, and authority to get the job done," Mogull says.

The researcher also called on Apple to complete work adding anti-exploitation technologies into OS X. While features such as sandboxing, library randomization, no-execute flags and stack protection are partially implemented now, "these implementations are either incomplete or flawed in ways that nearly eliminate their security advantages," Mogull says. (Fellow researcher Charlie Miller has said largely the same thing.)

Mogull's remaining two suggestions are:

  • Establish a security response team to manage communications between internal employees and external researchers reporting vulnerabilities in Apple products, and
  • Manage vulnerabilities in third-party software.

Apple has yet to respond to criticism about the vulnerable version of Java it continues to ship with its Macs. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.