Thursday, June 18, 2009

Isn't that Impossible?

Not every organization and their people know about software security issues nor do they respect the same.

In most of my workshops conducted with developers for secure coding, I often hear the proclamation, "Isn't that Impossible..." and then the drama starts...

Many developers do not understand how the web works
• “Users can’t change the value of a drop down”
• “That option is greyed out”
• “We don’t even link to that page”

Many developers doubts attacker motivation
• “You are using specialized tools; our users don’t use those”
• “Why would anyone put a string that long into that field?”
• “It’s just an internal application” (in an enterprise with 80k employees and a flat network)
• “This application has a small user community; we know who is authenticated to it” (huh?)
• “You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!”

Many developers do not understand the difference between network and application security
• “That application is behind 3 firewalls!”
• “We’re using SSL”
• “That system isn’t even exposed to the outside”

Many developers do not understand a vulnerability class
• “That’s just an error message” (usually related to SQL Injection)
• “You can’t even fit a valid SQL statement in 10 characters”

Many developers cite incorrect or inadequate architectural mitigations
• “You can’t execute code from the stack, it is read-only on all Intel processors”
• “Our WAF protects against XSS attacks” (well, clearly it didn’t protect against the one I’m showing you)
Developer cites questionable tradeoffs
• “Calculating a hash value will be far too expensive” (meanwhile, they’re issuing dozens of Ajax requests every time a user click a link)

There would be dozens more. The point that is developer education for security is one of the largest gaps in most SDLCs. How can you expect your developers to write secure code when you don’t teach them this stuff? You can only treat the symptoms for so long; eventually you have to attack the root cause.

Looking for better solution(s)

It's been 5 years that I have been looking over Application Security issues. It makes me wonder when I find myself and many others still looking out for some unsolved or better security solutions. Certain issues where we have broken our heads to get a solution, but at the end it hasn't been "enough" secure.

I thought it might be interesting to post my list of such issues for others to see things and get opinions on the same.

Still Looking for better (Secure) solutions for following points:
1. Implementing a strong Key Management solution for PCI Compliance. Customers trust products which can help achieve this compliance, however do not trust the bespoke implementation. I strive to get this done !!

2. Develop a better CAPTCHA mechanism to defend robots. A believe a real world user hates the current image version displayed. It has to be simple and secure.

3. Get the NAT'ed IP address of the user using HTML or Javascript.

4. Strong solution to prevent users from getting on to fake sites (Phishing) without much of user education.

5. Developing an Effective and Manageable Web Application Firewall which can be at least a bronze bullet (if not a silver bullet) for Web Security. :)

6. Designing security for social networking sites where a feature could be exploited to be a flaw.