Web 2.0: Twice the fun, twice the vulnerabilities
- By William Jackson
- Aug 02, 2007
LAS VEGAS ' Browsers are being used in unexpected ways to support Web 2.0. This means that interactive Web applications are subject to the same vulnerabilities as client-server applications, as well as some new ones that developers might not have considered.
Chess is at this week's Black Hat Briefings security conference, pounding the drums for secure software development to help prevent such unintended consequences.
The current model of securing information technology systems by constantly adding more tools on the network or on the host is unsustainable because increasingly interactive applications by their nature find ways around or through these static defenses, Chess said. The new model for security should be software that can defend itself, he said.
Chess said there are demonstration exploits of such hijacking attacks, but he does not know if they have been found yet in the wild.
Not coincidentally, Fortify makes tools that aid in creating secure software by examining software in the development stage, examining its behavior for quality assurance and monitoring performance once it is in production.
Chess said he sees reason for hope in the current status of programming.
Overall, 'software developers are getting better,' he said. 'Some get it, and some don't.'
One company that he said gets it is Microsoft, which established its trustworthy computing initiative to save its reputation in the face of widespread dissatisfaction with buggy programs. The Windows Vista operating system is the first major product developed under the initiative to be released. Whether it results in a more secure operating system is yet to be seen, but the process has been changed, in large part because of public demand, Chess said.
'The public is catching on' due to the high visibility of identity theft and electronic-voting concerns, he said. 'People are increasingly intolerant of somebody just saying 'oops' ' in the wake of a security failure.
But the ability of public opinion to change development practices is limited outside of the consumer market.
'In the federal space it is coming on a little slowly,' Chess said. And the government is a major software developer. 'One of the things I am amazed at is the number of people there writing software.' Changing government development processes is a long, slow job, he said.
Chess is demonstrating different approaches to software security by hosting the Iron Chef Black Hat competition at this week's briefings. Two Fortify engineers will go head to head analyzing a surprise piece of mystery code for flaws. As an added fillip, the audience ' usually an interactive bunch at Black Hat ' will get the code at the same time so they can test themselves against the engineers.
William Jackson is a Maryland-based freelance writer.