The price of functionality
Tools such as AJAX add performance to Web sites but open new doors for attack
Web 2.0 is the new big thing on the Internet, but the tools used to enhance Web sites also leave a new crop of vulnerabilities, many of them unforeseen by developers. For all the innovation in software and hardware, the same old battles remain when functionality outstrips security.
'There really isn't anything new in security,' said Bill Hoffman, lead researcher at SPI Dynamics, at the recent Black Hat Briefings information technology security conference in Las Vegas. 'Anyone who says there is is lying.'
At the conference, Hoffman and John Terrill, executive vice president and co-founder of Enterprise Management Technology, demonstrated some of the possibilities of a new hybrid worm that uses server-side and client-side languages to exploit a Web server and the client's Web browser. The proof-of-concept worm is polymorphic and evolves to defend itself and find new avenues of attack.
At the root of the vulnerabilities is a problem as old as software itself: the disconnect between members of the development and security communities. Developers don't know security, and security people don't know coding. As a result, security is often an afterthought.
'You have to do security early in the development life cycle,' Hoffman said in an interview with GCN.
Chess and Hoffman were at the Las Vegas conference to emphasize the need for secure software development to help prevent such unintended consequences.
AJAX is only one Web 2.0 tool, but 'we focus on AJAX because that's what most people are familiar with,' Hoffman said.
'One of the tenets of Web security is: Don't send anything to the client because you can't trust it,' Hoffman said. But that tenet was developed at a time when it was difficult to run processes on a browser. With the advent of tools such as AJAX, that approach is becoming more common.
However, it creates an environment in which the current model of securing IT systems by constantly adding more tools to the network or host is unsustainable. Increasingly interactive applications find ways around or through those static defenses, Chess said.
'An application can be mashup-friendly or it can be secure, but it cannot be both,' the researchers wrote.
Although functionality still often trumps security, software development is becoming more security-conscious. And the process is changing in large part because of public demand, Chess said.
'The public is catching on' because of the high visibility of identity theft and electronic voting concerns, he said. 'People are increasingly intolerant of somebody just saying 'oops'' in the wake of a security failure, he added.
'In the federal space, it is coming on a little slowly,' Chess said. And the government is a major software developer. 'One of the things I am amazed at is the number of people there writing software.'