why security will move to the network

Saturday saw me working most of the day on some productive stuff. On my test server I was finally able to install compatible and updated versions of Apache, MySQL, PHP, and Perl along with a new version of Movable Type. And I got it all to play nicely and properly render my website in full. Finally PHP and Apache2 ironed their issues out and I can proceed with my upgrades.
But this reminds me of the futility of trying to maintain a server and network in terms of security, and I don’t even have all that much stuff installed.
My old server is a Windows 2000 Pro system that would have a 100% uptime if not for power outages and apartment moves (and update reboots). It runs MovableType1.2 I think, with 4 year old versions of PHP and Perl, a year old version of Blosxom, and Apache 1.3. I’ve not really updated the system itself in about 4+ years. That’s heavy! And I’m a paranoid security guy who truly does know better!
Now, I will have updated versions of all of that, including a Wiki program. This means I need to keep up on:
– keeping my installs updated by applying any patches or security upgrades
– keeping my code secure by knowing how to program in a secure fashion
– remain an expert with all those technologies so that I know how to properly secure them
– for every update, be able to test it before putting into full production, or be able to spend time to recover when something royally screws up
– maintain resources for backing up the important stuff
My environment has two systems and a half dozen apps and a single OS version. And yet that’s already a very big list of tasks up there. Just think how tough it is to be secure on a corporate level where every department has their own desires, software and web developers use their own systems to host things when they don’t get their way on servers, and so on. It is no wonder that there are thousands of vulnerable forum sites out there running unupdated software. You can just wince when coming across an old forum site whose last 6000 posts are spam ads for Viagra.
Now, imagine turnover in the IT space. A 5-year vet of a company leaves and takes a heck of a lot of institutional knowledge with her. That might mean some systems have unknown software installed that no one else knows about, and no one else can manage. Imagine those things being used by someone for something critical, and by the time some issue arises, the company that created it (or internal developers) are no longer in business and support is not possible. Legacy is a very apt word for what we will go through as the years go by…legacy apps, systems, serers. It’s not just hardware we need to worry about anymore, or bulky mainframes in basements.
Unless a corporation is very diligent and very controlling (which everyone resists vehemently), the application layer is becoming a lost battle. It is enough for IT divisions to attend to downtimes, connectivity, and failed hardware, let alone to stay abreast of the latest news on package Y or application X. And we can rest assured that we’re also losing the battle of getting security packaged into software from the start.
As a side note, just think how much knowledge a tru security pro needs. Not only do I need to know how to install and secure Apache, but I need to know how to break it too. I also need to know what is bad in php (i.e. I need to know how to code it). I need to keep up with all those areas and updates. I need to have intimate knowledge not just of the OS, the apps, and the code, but the countless interactions between those two… Very, very heavy…