- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
CIO - When security researcher Charlie Miller hacked the Mac through the Safari browser in under 10 seconds last week, the question raised was deafening: Is Apple Safari secure? The answer, of course, is a bit more complicated.
For the second time in as many years, Miller took control of a Mac to win the CanSecWest's PWN2OWN contest. Both times, Miller found a way inside through a fully patched Safari browser. Three other browsers, including market leader Internet Explorer, also fell later in the competition.
[ Safari 4 beta roared out of the gate last week but still has a long way to go in the enterprise, CIO reports. | Find out everything you ever wanted to know about browser security for Safari, Internet Explorer, Firefox, Opera and Chrome. ]
Among techies, Safari lags behind popular browsers in its security prowess. Safari is the only major browser without data execution prevention, which helps prevent buffer overflows, says Roger Grimes, a product reviewer for sister publication InfoWorld. "It's just inexcusable," Grimes says. "The entire world also supports the advanced encryption standard except Apple-and that means something."
Greater market share leads to a security culture
Part of the problem, say industry watchers, is that Apple doesn't have a very strong security culture. In comparison, other companies like Microsoft have spent years creating a security development lifecycle, or SDL, whereby every software coder has been trained in security and every product undergoes a rigorous inspection process both internally and externally with contract hackers.
"In general, Apple does not have a great track record in the security of its code, and Safari follows that tradition," says Gartner's John Pescatore. When it comes to security, adds Grimes, "Safari is the weakest of the major browsers."
The reason companies like Apple are slow to build security into their products and culture is because "security doesn't sell anything," says Grimes. "The most secure product rarely wins." When a product such as the Mac gains market share, security becomes more important. In fact, new kinds of Trojans and cross-platform exploits are now taking aim at the Mac, which means Apple will have to change its attitude about security. Apple could not be reached for comment.
For Safari, critical mass that moves the dial toward better security measures is still a long ways off. In a recent Forrester survey of 50,000 enterprise users, Internet Explorer boasted 78 percent market share compared to Safari's paltry 1.4 percent.
Secure browsers are a moving target