Apple + Security & Privacy

An article by Rich Mogull in TidBITS makes five suggestions for how Apple can improve security for Mac OS X and the iPhone. Mogull is pretty negative about Apple’s current security strategy, and suggests the creation of a chief security officer and security response team, both things that he feels would enhance the overall security approach at the company.

Mogull states that Apple needs to react more efficiently in patching third party software, such as Java, Samba, Apache, and DNS. “Apple absolutely can’t afford to leave its customers exposed,” he says, and we agree totally, such as with the six-month old Java vulnerability that has been a topic of discussion lately.

Mogull also suggests that Apple complete the implementation of anti-exploitation technologies, saying, “Anti-exploitation technologies assume that vulnerabilities are inevitable, and try to prevent attackers from taking advantage of them to hurt our systems.” Apple’s current approach is partial and leaves a number of potential holes.

Finally, Mogull looks at the overall development process and calls for a secure software development program. “Based on a variety of sources, we know that Apple does not have a formal security program, and as such fails to catch vulnerabilities that would otherwise be prevented before product releases.”

Five valid points, all of which provide food for thought.