Information security is an unpredictable, fluid discipline. There are very few absolute truths, but for the last few years, one of those has been that Apple isn’t paying much attention to software security. At least that’s the received wisdom.
This theory is based mainly on the fact that security researchers have been breaking OS X, Safari and the iPhone OS on a regular basis. Thanks to incomplete or nonexistent implementations of memory protections such as DEP and ASLR, researchers have found a number of innovative techniques for exploiting Apple’s flagship products. None of this is much different from what’s been said about Microsoft’s software in the past, or even now, for that matter. Researchers continue to find serious weaknesses in Windows, Internet Explorer and Office on a monthly basis, and attackers continue to exploit those vulnerabilities.
The difference, however, is that we have a pretty good idea what Microsoft is doing to correct those problems. The company has been very public about its software security program, to the point of publishing its threat modeling process and tools and exporting the program to its partners and other third parties. Its executives and internal security experts such as Michael Howard and Adam Shostack talk openly about the specifics of the Trustworthy Computing effort, its limitations and even its failures.
This has had an undeniably positive effect on both the security of Microsoft’s products and its public image among security researchers and customers.
Apple, on the other hand, is a black box. Its employees say virtually nothing of consequence about security, the development process in general or the security response process. Security researchers say dealing with the company can be an incredibly frustrating experience, a one-way street leading to Cupertino. But that’s nothing new for Apple; that’s essentially how the company conducts business in general, not just in the security world.
Last year, I wrote a column asking where Apple’s version of Trustworthy Computing was. Since then, little has changed in the company’s public stance. Silence is still the order of the day, and that’s the main problem. Apple could have an extensive software security program in place, with advanced training and development methodologies. But we have no way of knowing. This isn’t to say that Apple needs to give up intimate details of its efforts the way that Microsoft has, because that’s clearly never going to happen. But the company is doing a disservice to its customers as well as itself by not speaking publicly at all about this problem.
The one sign of hope in all of this is Apple’s recent hiring of Window Snyder, the former head of security at Mozilla and an alumna of Microsoft’s security organization. Snyder was deeply involved in the Trustworthy Computing program, which, while by no means perfect, has made a major difference in the security and reliability of Microsoft’s products. She also was instrumental in making Mozilla more open and communicative about its security practices, bringing in the concept of threat modeling, as well.
But, Apple has said nothing about what Snyder will be doing. The likeliest scenario is that she was hired to put together a software security program and stop the flood of bad PR. Apple is among the more image-conscious companies on the planet, and while the vast majority of its customer base is in the consumer sector, the iPhone has made serious inroads in the enterprise and Apple’s executives can’t like seeing a constant stream of stories about new attacks on the iPhone and Mac.
So this may be the beginning of a new day for software security at Apple. Or not. It’s Apple, so there’s no telling. We may not know until a year or two or three from now when the company puts out a new version of OS X or the iPhone OS and the attackers and researchers and pen testers take their runs at it and find the game has changed.
But until then, you want it to be one way, but it’s the other way.