» Listen to the podcast » »
In the first ContraRisk Security Podcast, Steve Mansfield-Devine talks to Ross Barrett of Rapid7 about the problems with Java, and Richard Walters of SaaSID about the dangers posed by unauthorised use of cloud services within organisations.
The first month of 2013 witnessed a series of Java zero-day flaws being used in exploit kits. Java vulnerabilities are nothing new, but the inclusion of the exploits in kits such as Blackhole ensured that these new ones would achieve widespread impact. The problem is with Java in the browser, and while many of use can simply turn off support for Java applets, that’s not a course of action open to organisations that have invested heavily in the technology for internal, often business-critical, applications. And for the customers of enterprises, including banks, that use Java applets for customer-facing applications, the problem is arguably worse. Oracle has achieved an unenviable reputation both for the number of vulnerabilities from which its products suffer and its tardiness in responding. The company did issue a rapid patch for the first of January’s flaws, but it proved to be incomplete, and other vulnerabilities soon popped up. Rapid7 – best known for its vulnerability testing and pen-testing software Metasploit and Nexpose – has obviously kept a close eye on Java issues, and in this podcast Ross Barrett, senior manager of security engineering, explains why the recent flaws have got so much attention, and why he uses a separate browser when he has to use Java!
Symantec recently issued a report on the problem of ‘rogue clouds’. This isn’t a new problem – sales units, for example, have been opening Salesforce.com accounts – without the IT department’s knowledge – for years now. But the sheer number of cloud services, many of which are free, means that the ad hoc use of them by employees is becoming a real problem. And sensitive data, which should be under the strict control of enterprise policies and systems, is finding its way onto services such as Dropbox or Google Drive. With ever more Draconian requirements around data protection, that’s a Bad Thing. Richard Walters, CTO of SaaSID – a company specialising in using the cloud securely – talks about why such rogue or shadow IT is a problem.
» Listen to the podcast » »