The Coming Security Nightmare

I was looking at the Facebook API recently and some security concerns crossed my mind.  Not even concerns, just questions.  Now with software I had purchased or downloaded, I would have answered these by playing with it or even, if I cared that much, done some vulnerability analysis.  I can’t do that with Facebook.  There’s only one “copy” of the Facebook application and that’s their web site.  I can’t sit there and try SQL injection or XSS attacks on it.  They have intrusion detection systems to detect and/or thwart me, and if I do find a smoking gun they’ll probably arrest me.  Now this probably doesn’t matter a whole lot to me; I’m not going to integrate my bank’s web site with Facebook or anything.  But there an increasing number of businesses large and small that rely on external web sites.  These businesses have no way to verify any security claims by those web sites.

Traditionally, the software security industry has relied on a huge number of unpaid “volunteers” to find security flaws – white hats or security researchers or whatever.  These are the people who practice responsible disclosure and do not actually try to gain unauthorized access via the flaws they discover.  This is essentially impossible with web sites or cloud infrastructures because any security testing will be viewed as “hacking”.

Oh sure, we can test the underlying software packages that run the sites – Apache or PHP or Windows or whatever.  But there’s no third party analysis of the web apps themselves – which is what actually makes the web site useful.  If you look at something like salesforce.com or Google App Engine, it’s even worse – you have no idea who is writing these apps and again, no way to test them.

I expect we’re going to see a huge increase in the number of web sites that are exploited because of this, and as those web sites increasingly become development platforms in their own right, more and more business and mission critical software is going to suffer the consequences.

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: