I saw a fascinating post from Dan Morrill over on the ITtoolbocxBlogs yesterday. I tagged it then, but am only jsut now getting to post some thoughts.

Dan talks about an interesting new attack vector on our security. Because I talk a lot about Software as a Service (SaaS), Software Oriented Architecture (SOA) and Communications Enhanced Business Process (CEBP), this post in particular seems worth a mention because it does raise a new threat vector for us all to think about.

It's important when we converge network services with enterprise business applications that we take methodical approaches and adhere closely to industry best practices and standards so that we don't open up unintentional gaps in our enterprise security. The last thing we need is malware running as a service in an enterprise network.

Nice writeup and a worthwhile subject for discussion.

Malware as a Service

Dan Morrill (Security Project Manager) Posted 2/27/2008

Interesting new research was released today on Malware as a Service, with credentials stolen, and researchers cracking malware. Security Company Finjan reports the first indication that the theft of FTP credentials was caused by hackers installing code at the Software as a Service (SaaS) level.

What’s notable about this development is that hackers are using a software as a service (SaaS) model to deliver applications that are designed to abuse and trade FTP accounts. According to Finjan, this database may be the first use of SaaS for something other than legitimate means. Maybe we could call it HaaS: Hacking as a service. Source: ZDNe

[Read Dan's Full Post]