Expert says Apple needs to increase its security efforts
According to independent security specialist Rich Mogull Apple needs to do more for the security of its software. Mogull says Apple's recent failure to provide a patch for the critical Java hole in Mac OS X has demonstrated considerable shortcomings in the vendor's handling of security issues. In the past Mogull has, for example, worked with the Mozilla Foundation to develop a model for improving the security of the Firefox web browser.
The security expert's suggestions include Apple appointing a Chief Security Officer (CSO) to provide a coordinating executive force as well as a public face. According to Mogull, the CSO should have his own budget, dedicated staff and the authority required to prevent the position from becoming marginalised in company politics. He does say that the recent hiring of security star Ivan Krstić is a positive sign.
In addition, Mogull requests that Apple adopt a "Secure Software Development" program for its most important products, Mac OS X and the iPhone. Microsoft has operated a similar program for years – and Adobe is just about to adopt one. He said the program should include programmer training, development standards, threat modelling and code reviews.
The expert also considers it necessary to establish a security response team that handles software vulnerability reports. Since many Apple products rely on open source software it's particularly important for Apple to track the security status of these projects and respond quickly. According to the expert, the vendor has so far been slow to close such vulnerabilities – even in the case of its own WebKit browser engine.
Finally, Apple should complete and finalise the introduction of its "Anti-Exploitation Technologies". Mogull says that although Apple began to implement protective measures like a non-executable stack (with Intel), library randomisation and sandboxing with Mac OS X 10.5 Leopard, these measures are incomplete, flawed and easily bypassed. He speculated that the first improvements in this area may already be included in Snow Leopard.
In his TidBITS article, Mogul says using Apple products is currently still a relatively safe experience, but there are signs that this may change if Apple doesn't improve its security policies and architecture.
- Safari 4 addresses numerous security vulnerabilities, a report from The H.
- Exploit for unpatched vulnerability in Mac OS X - Update, a report from The H.
- Adobe to release quarterly security updates, a report from The H.
- DNS hole - no patch yet from Apple, a report from The H.