Seek out vulnerabilities in your software before the criminals do
picture courtesy of #WOCinTechChat
written by Mark Downie
Software development in many ways has lagged behind other engineering and scientific disciplines in academic rigor and professional regulations. When you take a closer look at most other engineering disciplines, they rest on a foundation of accretive professional standards, and on laws and regulations that expressly guard the public good.
The sheer speed with which software patterns change and then subsequently permeate the lives of everyday people has probably contributed to our industries laissez-faire attitude. I would suggest that recent security breaches (Adobe, Target, LinkedIn, to name a few) demonstrate that software engineering practice is overdue a makeover that incorporates a minimum set of security standards as first class citizens with our functional requirements.
Securing our data
Having worked in health and finance for a few years I have seen the many ways software positively impacts the lives of our customers, and as this appetite for sophisticated software solutions increase what also emerges is the need for mobility. The term mobility should not just be limited to the mobile devices we own, but it defines how data and experiences seamlessly translate into every facet of our life. What supports and allows for the most inclusive mobile experience are the platforms and services collectively referred to as the Cloud.
More and more of our data is being placed in the Cloud (not just on your PC), and as we create more sophisticated relationships between these datasets, we can inadvertently increase the potential attack vectors. Exposing these important and intimate data layers in any form give a severe burden that should be carefully carried.
In recent news privacy and security concerns are being juxtaposed against the needs of a government agency trying to protect its citizenry, but that very necessary conversation need not impede the critical function of software architects in enabling systems that inherently protect customer data.
In an open letter to customers Apple’s CEO posited the following:
For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach because we think the contents of your iPhone are none of our business.
The overarching assumption here is that you are creating systems that protect user data from yourself first and then from others. You assume that your organization (that includes Mangers, Developers, IT Staff, Customer Service, etc.) can, if only inadvertently, represent a very real attack vector.
Hack yourself
As part of my day job I evaluate security threats to web applications, more importantly, I encourage other developers to hack themselves actively. I first heard the idea of “Hack Yourself” as part of a great TEDx talk by Jeremiah Grossman where he points out the importance of actively seeking out vulnerabilities in your software long before the criminal hackers do.
Seriously, ask yourself, when was the last time you dedicated time to proactively hacking at a site you created? Do you even know where to start?
If you are creating web applications that collect Personally Identifiable Information (PII) I would encourage you to check out the following links:
- The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include security experts from around the world who have shared their expertise to produce this list.
- I have found the Open Web Application Security Project (OWASP) Testing Guide to be an indispensable tool for enterprise-grade security considerations.
- For a detailed, hands-on video check out this Pluralsight video by Troy Hunt Hack Yourself First: How to go on the Cyber-Offense, there are over 8 hours of content (take advantage of the free trial).
I am hopeful that our industry will do more to encourage more rigorous standards across the board, but until then it is up to us to ensure we are thinking about security by default.