jump to navigation

Using security standards November 24, 2013

Posted by Jiaqi Wu in Security.
trackback

The reason why most cryptosystems fail is because of people and not the technology. In my industry experience and watching the news, all of the largest vulnerabilities are a result of somebody not securing a system and not because of a fault in the technology they chose. One of the largest examples I have seen is in one of the enterprise software platforms I have been a part of developing.

Enterprise applications in every business have numerous components which require similar functionality because they belong to the same company. By creating common platforms, a large business can speed up application development significantly through component and service reuse. Of course there are many subjects inside of the platform, such as security, that applications developers lack expertise. It is therefore the responsibility of the platform team to abstract these concepts to a simpler interface such that applications developers do not have to worry about them. However it is one thing to provide the services in the platform and another to ensure that the applications developers are using the services.

In security there are a set of standards for securing web applications. The enterprise application platform example I mentioned above has integrated several of these and abstracted them to make them easier for a developer to use. They include several key layers:

  • HTTPS capability is provided to secure network transfer of data
  • SAML token based authentication for identity verification
  • XACML based authorization to determine role based access to resources
  • Interfaces to commonly used identity stores such as Apache DS and WSO2 identity server

Although these components are all provided at the platform level, it is not necessarily mandatory to use them. They are also inherently complex subjects and therefore knowledge of these subjects are limited to only the more senior developers. As a result many solutions that are developed using this platform did not implement security correctly which could result in numerous vulnerabilities. For example there are always cases where a basic database such as MySQL or Oracle was used as an identity store instead of a proper server such as an LDAP server. This results in the application logic gaining access to credentials because these databases do not have the ability to verify credentials internally. Other cases include not using token based authentication and instead validating authentication only once though client side logic. This kind of mistake can allow anybody to access system resources without verifying access.

Even outside of my case, there are other cases where vulnerabilities occur because of programmer mistakes. Sony’s Playstation Network was compromised several years back because of simple SQL injection vulnerabilities, something that most web application platforms protect against [1].

All of these vulnerabilities have a fundamental root cause: The applications developer was given a choice. In the enterprise application platform example, developers are provided with the capability to use the security available, but can choose to not use it. In the Sony example, web developers are given the tools to prevent SQL injection but did not use it. As a vast generalization, most engineers prefer to have choice in the way they implement something. However often times these choices can be made without having comprehensive education of the options available. At the platform level, removing choice to enforce practices could be a more valuable approach to platform engineering. This could make security integral to a system instead of just existing as a set of tools available to developers. We are seeing trends of this coming such as the HTTP 2.0 standard where HTTPS will be mandatory [2]. This will completely eliminate many of the mistakes that developers make in securing their login screens.

Platform level mandated security can make security a much more integral part of a system. It is similar conceptually to using autopilot on commercial airplanes. As a result of autopilot technology, commercial airline accidents have been reduced to nearly zero. This operates on the concept of removing choice from people thereby removing the possibility of mistakes. Our software platforms need to operate the same way. If there is a standard in a particular domain, the platform should enforce the standard, not just provide the capability. It will always require more transitional time but in the end solutions will be more secure.

 

[1] Anthony, Sebastian. “How the PlayStation Network was Hacked”. ExtremeTech. April 27, 2011. Accessed on Nov. 24, 2013. http://www.extremetech.com/gaming/84218-how-the-playstation-network-was-hacked

[2] Chacos, Brad. “Next-gen HTTP 2.0 protocol will require HTTPS encryption (most of the time)”. PCWorld. Nov 13, 2013. Accessed on Nov 24. 2013. http://www.pcworld.com/article/2061189/next-gen-http-2-0-protocol-will-require-https-encryption-most-of-the-time-.html

Advertisements

Comments»

No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: