Wednesday, May 28, 2008

Security - Am I phobic?

| Armando Romeo |
Am I being pedantic in reporting a CSRF vulnerability?
I have had the (bad?) luck of being in the position of reporting vulnerabilities to many software vendors.
Most of these were web application related. Wether I did it for fun, for commitment or for my own site security I always liked the reponsible disclosure approach.

I feel, we good guys, should help the developer community learn from their mistakes with some compassion.

But the more I work in the security field the more questions arise to my mind.
Am I being paranoic when I explain how a cross site scripting can ruin a website credibility, steal customers data and lead to malware propagation?

Well, sometimes, when you talk to software vendors and you have to show them the risks related to your findings you feel like phobic. They make you feel such, with their "so what?", "it seems hard to exploit" or "is this a vulnerability for real?".

I decided to talk about this after reading that an authority in the field posted his feelings about this as well.

I feel like only security community tend to give the right weight to each kind of vulnerabilities while the vendors base just make a reasoning about ROI, image (stock exchange) impact and risk acceptance.

Security layer is implemented only when it becomes a duty.
Being it by laws or compliance.
Security for sake of security is just a motto of some open source projects like Joomla. You wouldn't believe how interested they are into fixing and hardening this FREE CMS. Why?
Because they have the knowledge to do it on their own without outsourcing it.
Vendors have, most of the time, to outsource audits and security plans to third party companies.

Outsourced security gives better results 99% of the times since it is carried on by people doing this to live. But it is also costly and not guaranting any 100% security. No security company can afford any guarantee.

So security professionals are becoming more and more sales men.
They need to be persuasive:
if you don't secure your self, you will get hacked and lose more money than what you're giving me now to secure yourself.
Moreover, outsourced security contracts are being used to show at least "good intentions" when customers complain
about stolen credit cards. I mean, they can become an attenuate when a hacked company has to indemnify its customers
after a disaster.

That's why risk/vulnerability assessment, has its importance.
I would make it the first step in a security engagement.
And I'm more than happy to see more compliance rules forcing companies to demonstrate a minimum certified security level.

Not that these compliance (like PCI) are synonymous of security, but at least, we, security good guys, know that we are not talking to walls.
They have to listen to us, because I know we are not phobic.

Free Security Magazines