Security folk often carry Macs, is that an endorsement?

The Geekonomics blog is often good. A new post indicates Apple’s veneer of more secure than Microsoft is cracking.

It was only a matter of time. I wanted to clarify that though you see a lot of security consultants carrying Macs, in Cigital’s case, it’s not an endorsement. Again, in the interest of disclosure: though I own and operate many platforms I operate more OS X at home and office than the others.

I attribute Mac adoption amongst security folk to two reasons: the platform combines a Unix-like environment with the ability to interact through email and MS Office and that the machines, for the most part, are a snappy bit of hardware, cobbled together into a “shiny object” (desirable) form. This second aspect goes a long way to explain the recent jump in ownership in the security community: “fan-boys.”

Any claims that it’s because “they’re more secure” should be considered with a fair amount of skepticism.

Yes, historically, the platform has suffered less pain of viruses and malware. Yes, certain aspects of their OS/platform and design did make improvements over XP.

The truth is this:

Apple doesn’t “Build Security In” very well at all. You don’t have to be an insider to understand why. Redmond is exporting security blogs, books, and value like never before. You don’t see a lot of Apple security people in the community though. You don’t see good solid standards-based support for authentication or web-services that would help you interact securely with your enterprise (Apple hides behind their ‘vision’ on this one). You don’t see a lot of support for Objective-C in the static analysis tool realm.

I believe that though Apple paid great lip service to security as a differentiator initially, (they even talked about phones like the iPhone becoming the basis of identity moving forward) but yet they abandoned it when they realized the cost of a real enterprise-level program. They also abandoned what was probably their best protection: the PPC processor. Their security proposition, IMO, is based on obscurity.

I’ve said before, “Woe to Apple when market share (and thus Economics) garners the attention necessary to motivate attackers to focus on the platform—attackers may find their task easier than with Vista.”

This entry was posted on Monday, March 16th, 2009 at 10:16 am and is filed under Software Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Previous post:
Next post:

2 Responses to “Security folk often carry Macs, is that an endorsement?”

  1. Andre Gironda Says:
    March 17th, 2009 at 4:06 am

    Don’t worry. We’ll all be even less secure when we’re running VMware View clients off cloudbooks to Mac OS X, Linux, or Windows 7 thin-client desktops.

    Platforms planned for future attacks by motivated adversaries are the web and the cloud. These are the areas we need to worry most about.

    If there are motivated adversaries for Mac OS X, they better move fast. There isn’t a lot of botnet-spreading malware today, and Snow Leopard (especially combined with Apple’s easily forced hardware+software upgrade path) will add plenty of new controls. Many third-party products on Mac OS X (the Microsoft ones as an example) implement a lot of strong controls — the very least at the compiler layer. New books such as “The Mac Hacker’s Handbook” do up the game a bit, but usually full-disclosure and awareness tend to have an overall good effect on security for these less-popular platforms.

    While Apple continues to ice on security instead of baking it in, we’d all appreciate a spokesperson and strong security team to emerge. Certainly, everyone agrees with you on this point.

    As for why security-nerds tend to roll with the MacBooks and MacBook Pros (and iPhones), I think this comes from a desire to achieve security through defense-in-diversity.

    Unfortunately, this tends to have a reverse effect. The best strategy is one you suggest: owning and operating multiple platforms. To be able to switch between Terminal, Cygwin, and a Linux window-manager with rxvt and bash prompt is certainly a valuable skill to bring into any environment. Knowing the basics of VBScript, Powershell, Applescript, NT/Unix shells, and the common set of scripting languages (i.e. Ruby, Python, Perl, Tcl, Awk, Lua, CLIST, REXX) almost defines the contending modern security professional.
    Sorry… forgot to say great post – can’t wait to read your next one!

  2. gem Says:
    March 17th, 2009 at 2:15 pm

    From the department of stuff from 2005, I present:

    Is Your Mac Really More Secure? (April 2005: IT Architect)
    http://www.cigital.com/papers/download/0504sec.macs.pdf

    Damn marketshare takes a long time to gin up.

    gem

Leave a Reply