Archive for August, 2009

The Coming Security Nightmare

August 31, 2009

I was looking at the Facebook API recently and some security concerns crossed my mind.  Not even concerns, just questions.  Now with software I had purchased or downloaded, I would have answered these by playing with it or even, if I cared that much, done some vulnerability analysis.  I can’t do that with Facebook.  There’s only one “copy” of the Facebook application and that’s their web site.  I can’t sit there and try SQL injection or XSS attacks on it.  They have intrusion detection systems to detect and/or thwart me, and if I do find a smoking gun they’ll probably arrest me.  Now this probably doesn’t matter a whole lot to me; I’m not going to integrate my bank’s web site with Facebook or anything.  But there an increasing number of businesses large and small that rely on external web sites.  These businesses have no way to verify any security claims by those web sites.

Traditionally, the software security industry has relied on a huge number of unpaid “volunteers” to find security flaws – white hats or security researchers or whatever.  These are the people who practice responsible disclosure and do not actually try to gain unauthorized access via the flaws they discover.  This is essentially impossible with web sites or cloud infrastructures because any security testing will be viewed as “hacking”.

Oh sure, we can test the underlying software packages that run the sites – Apache or PHP or Windows or whatever.  But there’s no third party analysis of the web apps themselves – which is what actually makes the web site useful.  If you look at something like salesforce.com or Google App Engine, it’s even worse – you have no idea who is writing these apps and again, no way to test them.

I expect we’re going to see a huge increase in the number of web sites that are exploited because of this, and as those web sites increasingly become development platforms in their own right, more and more business and mission critical software is going to suffer the consequences.

Advertisements

Welcome… to the machine.

August 25, 2009

I wonder how many blogs have started with this quote from Pink Floyd?  I’d guess at least 10,000.

I don’t really have anything on my mind right now, I just wanted to see if I could import this shit in to my myspace page.  Come back later.