The shift to web applications has some very serious security ramifications. Every day another developer writes another web application. It is simply amazing the speed at which you can deploy an application these days. With the cloud you can be up and running on the cloud with a sample application in 30 minutes. It did not use to be like that. Deploying applications to the masses required more resources. Specifically the IT resources to setup a machine for the internet. Now you can provision machines on the fly with images put together by 1000's of other people. Frankly its very cool. With power comes great responsiblity. The current wave of applications are creating a playground for information thief's.
From someone who has deployed software as a service applications dating back to 1998,(yes you read that right) the cloud is revolutionary. We actually used EDS to host our first application. Compare that to the cloud is a study in contrast. The EDS facility was actually bunkered to prevent a military attack. Getting access to a machine required a security clearance including a lie detector test. The other day I deployed a new rails application on the E2C cloud in about an hour.
The problem lies in the assumptions we all make. Our applications are deployed on an OS that is pre-configured by someone. Is that image setup properly to be secure? Maybe, or maybe not. Hmmmm. Software developers, like myself, want the underlying tool vendors/communities to provide me with tools that make it easy to develop secure applications. Are those tools making it easy for me to develop a secure solution? Maybe, or maybe not.
Most organizations are left very vulnerable and most of them don't even know it. They hire a good consulting company to build them some software for the web. If they are lucky they do a good job and build them a well designed and well tested web application. But 99.9% of the time they assumed the image it was deployed on and the default tool settings are secure. I would guess 90% of the time they are wrong.
So where do we go from here? The first step is to admit that we have a problem. The next step is to ask for help. Let's face it building secure web applications is hard. I'm suggesting that all developers start a 10 step program. Learn the OWASP top 10. Make sure that the tools you are using are setup to provide defaults for your applications/projects that head off the top 10 issues. The goal of this blog is to help you on your recovery to security. We can't all do it alone.
My name is Russell and I have a security problem.
Hi Russell!
A room full of strangers listen and provide support to my security affliction. On the way out I put my $5 in the coffee can.
Thursday, August 20, 2009
Subscribe to:
Comments (Atom)
Posts
