At the Gartner Symposium/ITxpo last week, Andrew Walls, a security analyst at the company, shared his thoughts on how Web 2.0 affects application security.
Walls discussed how traditional desktop security measures are falling short in a Web 2.0 world and how developers need to take more personal responsibility for the security of their code.
Q: Whats the single biggest threat to applications on the internet?
A: People. I know that sounds a bit simplistic and facetious but what it really comes down to has always been the way people use applications, and the way people use data. If everyone was honest, trustworthy and truthful, then we wouldn't have security problems. On a practical level, we assume in the security business that everyone out there is deceitful, dishonest and trying to rob us all blind — so we try to secure applications as well as we can.
In the world of Web 2.0, mashups and web-deployed applications, many of the issues we deal with are actually the classic issues around security and application development — we need to make sure that the input data, ie the information that we're entering into form fields in a web page, is actually valid data — information that we want to have put into our system. And of course, the information that leaves your system is what you want to have put out.
Any system that ignores those basic rules is a system at risk. If you remember a couple of months ago, there was a big hullabaloo about the [Australian] prime minister's website being hacked. That was a classic JavaScript attack that relies on people not validating input when they take data from a standard form. Now this is one of the standard forms of attack, and they still exist — that's the problem. The developer world has not done a good job at validating all their inputs and outputs, or putting clear bounds on all of the data moving through their systems.
We assume in the security business that everyone out there is deceitful, dishonest and trying to rob us all blind
Andrew Walls, Gartner
Fundamentally those problems exist because of people — systems do whatever we tell them to, but it's people that carry out the attack, that hack the controls we put in place. The biggest problem is always going to be ourselves.
How well are these problems understood by businesses?
Well it depends on what you mean by businesses. Sitting here at the ITxpo, any one of these businesses out here on the floor understand them very, very well. But, of course, they're focused on IT, about security, and they deal with that all the time. If, on the other hand, you're working for a bank or for a car manufacturer and you talk to the business leaders in those organisations, they would have no understanding of the minutiae I was just talking about — validating and the like. Nor should they. What they need to understand is the impact on their business if those security problems are left untreated and unmanaged. They'll hire security managers and professionals to look after it for them.
What security managers need to be able to do is translate these technological and security risks into business language — into business risks. So then the business leaders can make informed decisions about their business. They don't need to know about the specific problems; that's the security manager's job. The business leader does need to be informed, and to have real data, so the executive can make the best decisions.
How well can the approach taken to desktop application security be taken to the web?
They really don't map very well to each other. To start with, desktop security is not done very well — there's a lot of changes going on there still. We're seeing a whole new class of products that we refer to as "data-leak protections". This covers things like moving data on to a USB stick or burning it onto a CD. That goes beyond identity management or making sure people have tokens for strong authentication — it's more looking at how data moves through your system and controlling that information correctly.
If I want to stop credit card information from leaving my system, either over the network or through somebody's laptop or USB stick, then I have to have software that knows what a credit card number looks like and can do things when it sees data being moved to the wrong places. That goes way beyond what most…
