Let's say I'm able to dynamically and statically analyze an application running on some platform. This analysis is so full of awesome that it enumerates every entry and exit point in the application. It enumerates all ways that data is touched, modified or/and returned to the user of the application. It understands authentication and authorization, from the interface down to the underlying operating system.
So what. Really, who cares. There's absolutely no context with this contrived analysis. Let's say that the application above only accesses information deemed public by the application owner. Let's say that the machine has no way to pivot to any other resources: an island. Then what? And why am I wasting time on a post like this that seems pretty obvious?
We have threat modeling, attack trees, call graphs, and everything at our disposal. Automation can get us far, but without subjective context, especially on asset valuation, everything looks the same. I'm all for measurements. We're no where near as an industry in enumerating what applications can do, what they touch, and even how to process all of this information. But even if we were, we would still be silly and mark a remotely exploitable vulnerability that popped root on this application as a "high", whatever that means. Whereas in reality, this asset has such little value that it's not even worth including its system name in a report.
We do not do a good job assessing asset values, however subjective. Yes, there's value for an attacker. At a minimum, can I pivot from this host? Can I now access something I wasn't able to access before? These are valid and should be called out if there's reason to. But, what about the data? Not all assets are equal and we should stop treating them as they are.
0 comments:
Post a Comment