Geeks With Blogs

News Google

Nick Harrison Blog<Nick>.Next()

Cyber security, Cyber war, Cyber vulnerabilities are all hot topics in the news right now. They should be. Most applications and our very infrastructure are incredibly vulnerable. This should remind of us of Weinberg's Second Law: If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. A swarm of wood peckers may be closer than we think.

Everyone gets outraged about privacy vulnerabilities with google and FaceBook without ever thinking about how vulnerable their privacy is nearly every time they connect to any web site.

It makes national news (often international news) when personal information is lost in a high profile case, but this is often too little too late.

Many people read headlines about credit cars being stolen and feel powerless and helpless. The feeling is easily understood. As programmers, we are also often just as powerless.

From a security perspective, even if we do everything right, our applications are still vulnerable, but this should never be an excuse to not take ever step that we can to secure our applications or push for security on every application that we work with. This should inspire us to be more vigilant and protective.

There are a couple of points worth pointing out and remembering:

  • If an application is usable, it is vulnerable.
  • The myth of the secure application needs to be forgotten. Our goal needs to be defensible applications.
  • Computer intrusions are inevitable. Security counter measures will not prevent an intrusion. They will hopefully help us survive the intrusion. Think about how a seat belt does not prevent an accident but it helps you survive an accident.
  • If you are a computer security professional, developers are not the enemy.

The only secure computer is the one locked in a room with no key and no network connection. It won't be very useful, but it won't be compromised. The sad reality is that if the right individual or group wants to compromise your system, they will. Most systems seem safe simply because they have not attracted the wrong attention. An easy way to attract this wrong attention is to brag about how secure you are. Many hackers are drawn to the challenge of the "secure" system.

Don't ever think about your system as secure. Believing that you system is secure will draw unwanted attention to your system as well as lull you into a false sense of security. Accept the fact that it is vulnerable and requires constant monitoring and protection. Every safe guard that you put in place will slow an intrusion down, may allow you to identify and catch whoever is attempting the intrusion, but it will not prevent the intrusion.

We need to think about the automobile industry and their safety features. There was a time when the conventional wisdom was that the best way to survive a car accident was to not have an accident. To that end, the focus was on blaming the victim. "If you drove better, you wouldn't be injured." We often have a similar reaction with computer security today. "If you had a better password …" "If you had better firewall rules …" "If you had dedicated servers …" "If you were up-to-date on your patches …" "If you conducted penetration tests …" "If you had validated your input …" "If you had …"

These statements are all true, but even with a strong password behind a properly configured firewall on dedicated servers that are fully patched; the right hacker can still break through. Even if I have anti lock brakes, electronic stability control, and two dozen airbags while wearing a seat belt, I can still have an accident. The difference is that the same accident in a Model T will result in my death while in a modern "safe" car will result in a pricy repair bill for the car.

Strong passwords, firewalls, etc won't keep someone from compromising your system, but they might slow them down enough to allow you to catch them in the act. In essence, they won't prevent the intrusion, but they may help you survive.

Finally, I want to touch base on the role that developers can serve in computer security. We are not the enemy. I heard a security professional make the assertion that every system vulnerability exists because a developer messed up. This is the wrong attitude to take. Very rarely, will a developer set out to intentionally compromise the system that they are working. Most developers are filled with too much pride to even consider that. The developers designing and building a system should be viewed as the single most important strategic partner in securing the application.

Among the many roles that the application and specifically the UI serve is to be an application level firewall controlling access to the database. Viewed from this perspective, their importance becomes obvious. When a developer writes input validations, they are writing firewall rules that could never be defined anywhere else. Exception management logic and logging becomes important intrusion detection mechanisms that could not be duplicated in any way. Every business rule implemented serves to further strengthen the integrity of the system.

I hope to flush out more thoughts on computer security and how as developers we can strengthen our systems and better defend the worlds we create with our code.

Posted on Friday, September 24, 2010 1:44 PM | Back to top

Comments on this post: Thinking about Computer Security

# re: Thinking about Computer Security
Requesting Gravatar...
A lot of your hyperbole applies to low assurance computing. As far as attitudes towards developers go, blaming coders may be putting the cart before the horse. Which came first, bad code or systems that have a brain aneurysm and cough up admin rights when code is used in unintended fashion?
Left by Rob Lewis on Sep 27, 2010 1:55 PM

comments powered by Disqus

Copyright © Nick Harrison | Powered by: