Coffeehouse Thread

37 posts

Software security - is it really necessary - of course ... but at a cost

Back to Forum: Coffeehouse
  • davewill

    Let's discuss software security.  Spurned by this article

    http://www.foxbusiness.com/technology/2013/07/31/cyber-siren-is-blaring-but-is-anyone-listening/

    The unveiling of the largest-ever U.S. cyber crime prosecution last week serves as a blaring siren for Corporate America to ramp up security and thwart complex attacks, but companies still seem to struggle to keep pace.

    ...

    The problem has grown persistent over the last few years, with cyber evildoers illegally capturing billions of dollars worth of data and money from unsuspecting victims. In the most recent case, the criminals inflicted "hundreds of millions of dollars" in damages and stole 160 million credit card numbers over six years.

    ...

    Sixty-four percent of organizations attacked in 2012 took more than 90 days to detect an intrusion with the average time for detection being 210 days – 35 days longer than in 2011, according to a report released earlier this year from data security firm Trustwave.

    Five percent took more than three years.

    ...

    Especially unnerving is the widespread success of SQL injections. Remote access and SQL attacks, the tool of choice by hackers in the scheme unveiled last week, together made up 73% of the infiltration methods used by criminals in 2012, according to Trustwave.

    ...

    At some point, it becomes too costly to pay for the defenses necessary to stay far enough ahead of them, and that's when security systems become outdated.

    ...

    "It would take a little extra time and money to make sure a system is secure, and many companies don't want to make that investment," he said.

     

     

    Security is hard, expensive, and obtrusive.

    Security conflicts with productivity, at least in the scope of the developer who is trying to accomplish task xyz, not thwart convoluted attack lmnop, stuv, and yabbayabbayabba.

    Security is expensive. I don't think consumers would realize just how much the cost of technology goods and services would rise if the software industry made security a top priority and a top budget item (if needed) across the board.

    Security is obtrusive. More software updates means more churn for an end user base that already complains with comments like "another update again <insert rolled eyes/>".

    Yet security is needed.

    Is this era of heightened attacks conveniently in sync with the race to the bottom in TCO (total cost of ownership)? Is security on the same treadmill that computer hardware vendors have ridden with their super thin margins and cut-rate products?

    It seems today that TCO is so important that security is purposefully ignored by key decision makers.

  • spivonious

    @davewill:If 73% of the attacks were through SQL injection, that's just horrible. It's one of the easiest things to prevent.

    On the other hand, if your site doesn't really have any confidential data on it and would not normally be considered a target for hackers (e.g. a quilting club website with a member forum), is it worth the up-front investment of time and money to build in a high-level of security?

  • bondsbw

    I wish nobody ever came up with the idea to make SQL a database API.  It was intended for human use, not to be used from code.

    When my program talks to other .NET programs, I don't send C# strings in to be compiled and executed.  I call a WCF or similar API.

  • kettch

    , spivonious wrote

    On the other hand, if your site doesn't really have any confidential data on it and would not normally be considered a target for hackers (e.g. a quilting club website with a member forum), is it worth the up-front investment of time and money to build in a high-level of security?

    Except that those kinds of sites can be a target. If I hit Grandma Ethel's quilting forum, and get email addresses and passwords, I can then start checking to see if those users have been using the same email addresses and passwords on other sites, like their bank.

  • evildictait​or

    , spivonious wrote

    @davewill:If 73% of the attacks were through SQL injection, that's just horrible. It's one of the easiest things to prevent.

    On the other hand, if your site doesn't really have any confidential data on it and would not normally be considered a target for hackers (e.g. a quilting club website with a member forum), is it worth the up-front investment of time and money to build in a high-level of security?

    Your website is a target by virtue of being a website. Even if it serves only static HTML and has no user-content on it whatsoever, it is still a target because it is a computer on the Internet. It can be used by bad people to send spam, to pivot and hide the IP address of malicious traffic, to host malware, mine bitcoins and take part in large scale DDoS attacks on other websites.

    Even if the person who hacks your website doesn't do all of that, that's not to say they won't onward sell access to your server to someone who will.

    The argument that you are not a target of cyber crime is a dangerous myth that will put you, your data, your customers, your credit rating and your credibility as an organisation at very serious risk.

    If you're not going to secure your computers properly, pay someone else to do it for you. It is cheaper in the long run to make your computer secure than to pay the cost of patching up after the damage of failing to keep your machines secure later.

  • magicalclick

    Simple things like SQL injections are secures using ASP.net simple parameterized SQL. And use simple salted ASP.net membership to secure the passwords. Most companies should at these do those. They are very painless to do. Ofc, true security is much harder.

    Leaving WM on 5/2018 if no apps, no dedicated billboards where I drive, no Store name.
    Last modified
  • cheong

    , spivonious wrote

    @davewill:If 73% of the attacks were through SQL injection, that's just horrible. It's one of the easiest things to prevent.

    On the other hand, if your site doesn't really have any confidential data on it and would not normally be considered a target for hackers (e.g. a quilting club website with a member forum), is it worth the up-front investment of time and money to build in a high-level of security?

    I think more than half of these sites involved in successful attack does have code to prevent SQL injection, but just implement it in the wrong way.

    How many times we've seen people think filter by some keywords would be enough? (See TDWTF earlier , where just adding simple BEGIN...END will workaround the "protection".)

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • cheong

    , evildictait​or wrote

    Your website is a target by virtue of being a website. Even if it serves only static HTML and has no user-content on it whatsoever, it is still a target because it is a computer on the Internet. It can be used by bad people to send spam, to pivot and hide the IP address of malicious traffic, to host malware, mine bitcoins and take part in large scale DDoS attacks on other websites.

    Even if the person who hacks your website doesn't do all of that, that's not to say they won't onward sell access to your server to someone who will.

    The argument that you are not a target of cyber crime is a dangerous myth that will put you, your data, your customers, your credit rating and your credibility as an organisation at very serious risk.

    If you're not going to secure your computers properly, pay someone else to do it for you. It is cheaper in the long run to make your computer secure than to pay the cost of patching up after the damage of failing to keep your machines secure later.

    Wholeheartly agreed. If your machine is with internet access, it shares resposibility to make the internet a safer place.

    Too bad many companies still make policy of "don't run any patch on a server that goes production".

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • evildictait​or

    , cheong wrote

    *snip*

    I think more than half of these sites involved in successful attack does have code to prevent SQL injection, but just implement it in the wrong way.

    How many times we've seen people think filter by some keywords would be enough? (See TDWTF earlier , where just adding simple BEGIN...END will workaround the "protection".)

    Lots of people try and secure their SQL in all sorts of different ways.

    But the only safe way to do it with paramterized SQL - and only then if you parameterize everything.

    If an attacker can control your table name, or you think it's a number, not a string, or an attacker can't reach that page, just for heaven's sake do us a favour and parameterize it anyway. There's never any harm in over-parameterizing it, and the cost of you under-parameterizing it is having to explain to your CEO why CNN is reporting that his company just lost all of his user's email addresses and passwords.

    Seriously. I used to work a security consultant, and I've secured a lot of websites. And every site that didn't parameterize all of their SQL statements we ended up with root on the box, including all of the data in the database and full code execution on the server. Even the ones that did their own protection or thought they could just escape the string before gluing it into the SQL.

    Don't do it. If it's not parameterized, it's not safe. And if you write your own filter or think you're cleverer than the attackers or that your website isn't important enough, then it will all end in tears.

  • davewill

    , evildictait​or wrote

    *snip*

    Seriously. I used to work a security consultant, and I've secured a lot of websites. And every site that didn't parameterize all of their SQL statements we ended up with root on the box, including all of the data in the database and full code execution on the server. Even the ones that did their own protection or thought they could just escape the string before gluing it into the SQL.

    As someone who wants to learn, it would be awesome to put up an Azure web role with a simple backend database (or the equivalent in a local VM) and let you have at it. We'll call it the "honey pot for evil".

    Which brings up the question, is there already a honey pot sitting out there that publishes the various attempts?

  • blowdart

    , davewill wrote

    As someone who wants to learn, it would be awesome to put up an Azure web role with a simple backend database (or the equivalent in a local VM) and let you have at it. We'll call it the "honey pot for evil".

    Please don't do that on Azure, because guess whose security org I sit in Tongue Out

  • davewill

    , blowdart wrote

    *snip*

    Please don't do that on Azure, because guess whose security org I sit in Tongue Out

    So noted. Azure is out.

  • figuerres

    , cheong wrote

    *snip*

    Wholeheartly agreed. If your machine is with internet access, it shares resposibility to make the internet a safer place.

    Too bad many companies still make policy of "don't run any patch on a server that goes production".

    or sites that say were done with classic asp and never updated ....

    or sites that store passwords in clear text, if they do that what else is not secure ?

    I know of one that has both issues but I have not tried to talk to them as they may also be going out of business .... not due to this I think, just that they are in a small market and it's tough sometimes.

    but I know there are many other sites like that, and I bet a lot of them are hackable.

  • bondsbw

    @figuerres:  And unfortunately, some of the bad practices start as a prototype, and that prototype becomes real code and goes into production.  And because the team didn't have time to fix it before production (ain't nobody got time for dat), it sits there in production for years.

    And then one day you get spooked by an article about a similar group being hacked and it's like, damn... I gotta fix this system?  It's now 5x the size with 13 external clients that depend on the current implementation.

    So... put security in the schedule.  Just do it right the first time.

  • blowdart

    , bondsbw wrote

    So... put security in the schedule.  Just do it right the first time.

    Except ... it's not "the first time". It's ongoing. You can't deploy an app and forget about it. Look at password hashing, 5 years ago MD5 was fine. Then it was salted MD5. Now we need multiple iterations of SHA with salt. Who knows what will be acceptable in another 5 years?

    And people don't plan for this. The system is working. It would be too expensive to change now. And when a new exploit comes along, where the platform breaks, or your CMS breaks or whatever the heck else your data is exposed, and the stuff you used to protected it 5 years ago isn't good enough any more.

  • DaveWill2

    , blowdart wrote

    *snip*

    Except ... it's not "the first time". It's ongoing. You can't deploy an app and forget about it. Look at password hashing, 5 years ago MD5 was fine. Then it was salted MD5. Now we need multiple iterations of SHA with salt. Who knows what will be acceptable in another 5 years?

    And people don't plan for this. The system is working. It would be too expensive to change now. And when a new exploit comes along, where the platform breaks, or your CMS breaks or whatever the heck else your data is exposed, and the stuff you used to protected it 5 years ago isn't good enough any more.

    excellent communication. There is more we should do for security at every stage. I often feel that having double the time would help reach the point where sleep wasn't lost. What do others feel is needed?

  • Bass

    Water can flow around obstacles.

  • davewill

    @Bass: Oh sensei, what does thou mean?

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.