Something I’ve always enjoyed is exploration… Hiking through the bush, touring a cave or walking a ledge to view pictographs… The great thing about computers is that even when it’s a frigid day or a torrential downpour, I can still explore… I can explore the Internet, an Operating System, and Source Code… anything I want to really.
One of my favourite things to explore is HTML… Regardless of whom you are or what website you run, your HTML source is available for the entire world to see. With the onset of Web 2.0 there’s plenty more interesting code to explore. Web 2.0 was actually a topic of discussion around here the other day. There was plenty of discussion into the language of choice for an internal project… the debate was PHP vs. AJAX. AJAX won at first but raised the question: Pyjamas or GWT. This of course drove me to look at the various frameworks and even test them. I wasn’t overly impressed… but then again I’ve never been a big fan of Web 2.0. In the end PHP with small tidbits of JavaScript is being used but that experience had me thinking.
Part of my investigation brought me to various potential vulnerabilities in Web 2.0. I ended up over at Attack Labs and it’s a little frightening. Another interesting read on the subject which has popped up more recently is AJAX Fingerprinting. I’m amazed at this new programming craze that’s sweeping the nation. The evidence of that is everywhere, anyone can have a website now and even do a little of their own coding. You can’t watch TV without seeing an ad for a mail-order Web Developer course… College night schools are offering the courses; high school typing classes are introducing it… You’re hard pressed to find someone who isn’t involved in some sort of web design… It’s just so gosh darn easy these days.
This scares me… a lot of Colleges and Universities are *JUST* getting the idea of teaching secure coding… for years it was never taught or discussed… in some educational institutions it’s still a taboo subject. Now these same places are teaching web design… which, regardless of how you spin it, is coding. I know at least some programmers out there are gasping in horror right now but it’s true. So you’ve got two parties coming together… the “old school” crowd that was doing HTML when it was 100% static and has a grasp for the security and has watched the evolution of the World Wide Web and the “n00bs”… graphic artists who don’t grasp computers but got into web design, people fresh out of college where security and web programming don’t cross paths, and the people who were suckered in by some washed up 70s sitcom star on late night television.
So OWASP has released their 2007 Web Application Vulnerabilities Top 10. Jeremiah Grossman published the Top 10 Web Vulnerabilities of 2006 back in December. Everyone is talking “WebAppSec” and the terms are flying by, and sometimes over, people’s heads. XSS, SQL Injection, CSRF, etc. We’re being kept decently informed on problems to watch out for… yet we still consistently find these problems. Maybe we’ve hit a point where instead of pointing out problems and quick solutions we should be going back to the source… we should be looking to re-educate the individuals who create these pages and introduce them to the concept of secure coding… a common coding practice that, as of yet, hasn’t been applied to web design.
Comments (6)
That's it, I'm no longer putting my URL on my comments here so you don't go perusing my amatuer web code from 4 years or more ago! (I think I still have comments in there that have my old email address from 5 years ago that no longer exists!)
Anyway, I really think it will continue to be difficult to get security taught by default. The reason is that to learn something, teach it, or even work with it, you need to go step by step. The basics are what gets things done. Security is what tightens the basics.
In access controls, for instance, let's say I set up a file server and throw in a fancy complexity of permissions to protect the data in those shares. Now person A attempts to access data he or she should access and fails. What is one of the first things I do when I really hunker down to troubleshoot? Remove the security and verify it still works. With n00bs or people learning something for the first time, you can't necessarily throw 10 steps at them. They might not know which step does what.
In coding, you can teach someone how to do SQL queries. But can you throw properly sanitized methods at them right away? Not unless you want a lot of frustrated n00bs.
That's not to say security should be left behind, but it is still a tacked on complexity that frustrates. It continues to not be a part of the languages/products/protocols and instead is easily stripped back to just get things done.
Sad, but reality. :( Besides, people seem to enjoy creating and doing new things and then moving on, leaving the security and maintenance and reviews for other people. Look, a desktop search which can index your entire corp! Huh, security? Well I dun...oooh look, shiny over there!
Posted by LonerVamp | February 7, 2007 2:55 PM
Posted on February 7, 2007 14:55
LonerVamp,
Glad to see you followed the blog link over :)
You make some good points... It's true that it's easier to teach somebody if you aren't factoring in security, however just because it's easier doesn't mean it's the right way to do it..
Let's say I'm teaching someone to bake... If they can grasp the concept of sifting the flour into the recipe, I shouldn't let them think that it's ok to just pour a cup of packed flour into the bowl...
Things should be done properly... I'm also not addressing the person who develops their own little homepage just for fun... I'm talking about the "web designers" who are graphic designers and don't care about security... about the college courses and correspondence courses that don't bother to teach or include security...
Just because it's easier without the security doesn't mean we should do it... We should be pushing security and teaching security...
Posted by Tyler Reguly | February 7, 2007 3:33 PM
Posted on February 7, 2007 15:33
Tyler: we, as security professionals, should also be trying to design secure distributed systems where the users (and programmers who are abstracted from the protocols) do NOT need to worry about security. We should strive to create technologies that are secure by nature, not by afterthought.
Some of the biggest problems we face with security are because users can't be bothered with it. It's hard to get everybody on the same page, and as a result we have programs that require admin privileges and users who are just looking to make things work. How many times have you brought something home and just wanted it to work right away?
Posted by Marcin | February 7, 2007 11:12 PM
Posted on February 7, 2007 23:12
Marcin,
As always good points... yes we should be striving to design secure systems... That doesn't eliminate the burden on developers shoulders to develop securely... What people tend to forget when they look at a website is that they are seeing rendered code... PHP, JavaScript, HTML... They are seeing the work of a programmer (even though we like to distinguish scripting and programming, it's still the work of a programmer)... People jump into web design and don't want to think of themselves as programmers but rather designers... they need to accept the responsibility of their positions.. It's one of the reasons that sites like MySpace and LiveJournal are great.. It gives users their own little corner of cyberspace without the need for them to create insecure websites... While we have to assist, we shouldn't be shouldering the blame for lazy development methods, even if the developers are "just learning" or "only doing it for fun".
Posted by Tyler Reguly | February 8, 2007 8:08 AM
Posted on February 8, 2007 08:08
Haha, I hadn't realized both were you! :)
Posted by LonerVamp | February 8, 2007 8:51 AM
Posted on February 8, 2007 08:51
LonerVamp,
Yes :) HT @ ComputerDefense.org = Tyler Reguly @ blog.ncircle.com
Posted by Tyler Reguly | February 8, 2007 9:07 AM
Posted on February 8, 2007 09:07