just one more geek in a sea of austin techies

November 16, 2015

Irony: Requiring Flash for Security #SecurityGeek

Use this bit of irony to peg who is still relatively new to the IT scene ("Are you kidding me?") or who has maybe been around a bit too long ("Yep - sounds about right...")

The subject?  Adobe Flash...

The Scene:
Various US government institutions mandate annual computer security awareness training for employees and contractors.  The specific methods and depth of training vary by entity.  In my case I only have to complete a relatively brief web-based training course.

The Irony:
The very first thing the security training website tells me -- a government site under the ".mil" domain, mind you -- is that my system doesn't have all the requisite items in order to take the training.  Specifically, I need to install Adobe Flash before I can take the "Cyber Security Awareness" course...

*shakes head and cries a little*

Click to expand the image.

For anyone not "in-the-know" on web security matters, Adobe Flash is well-known to present security vulnerabilities and has had this reputation for the past several years. Adobe has continued to update the software to fix known vulnerabilities but new problems arise at an alarming rate.  In the past 6 months Adobe has not enjoyed a 30 day period without having to rush out some new "security update" patch.  On average Adobe is now pushing out a new Flash security patch every two weeks.

To be fair, I have previously dabbled in creating Flash files and employing my own custom ActionScript programming -- all the way back to ActionScript v1.0 circa 2000.  I have enjoyed the product and what could be done with it.  However, even the most ardent fan of Flash cannot ignore the litany of serious security issues exposed on a regular basis over the past several years.  I won't argue that Flash should be done away with, but I *will* argue that Flash has no place in an environment where security is considered to be paramount.

Get with it, DISA!
If nothing else, requiring Flash on a military website hosting cyber-security-themed training courses is, at best, very bad form.  This is a glaring case of not walking-the-walk while you talk-the-talk.

No comments:

Post a Comment