funsec mailing list archives
Re: Poor programming, app design bolster data breaches
From: Paul Ferguson <fergdawgster () gmail com>
Date: Tue, 8 Jan 2013 17:42:46 -0800
I would argue that is even worse than that -- tens of thousands of website owners install Joomla or Wordpress (and their respective extensions and plugins) and then never bother to update them when there is a security patch upgrade. *This* is one of the primary problems. And it is *not* okay "itsoknoproblembro". :-/ - ferg On Tue, Jan 8, 2013 at 5:23 PM, Jeffrey Walton <noloader () gmail com> wrote:
http://www.infosecurity-magazine.com/view/30106/poor-programming-app-design-bolster-data-breaches/ With data breaches on the rise and the costs stemming from them escalating exponentially, human error is often the culprit. But there’s a deeper issue: poor application design and faulty programming are all too common. It’s more important than ever to create secure applications during the development phase, but very few strides have been made along that path, according to Pieter Danhieux, an instructor at the SANS Institute and co-founder of the security and hacking conference BRUCON in Belgium. The teaching of application design and programming needs to undergo a substantial change because students are not taught and have not practiced secure design processes at an early enough stage, he asserted. “Programming students will typically attend a single module on security during a course and it often comes in the later part of the educational cycle,” he explained. “The result is often a class of very talented developers but they don’t think with security in mind.” That leads to poor security practices such as building applications with buffer-overflow and SQL injection vulnerabilities that are widely exploited by hackers. Danhieux also said that many of the fundamental mistakes that he was exploiting as a penetration tester 10 years ago are still the most common issues today. Approaches for combatting data breaches, from development to client password policies, need to be supercharged in the face of a growing threat, he said. “The US is one of the only countries with a well-developed disclosure culture around security breaches, so the assumption might be that there are relatively few incidents and that America is the epicenter,” Danhieux said. “I can tell you for a fact that the scale of the attacks is at epidemic proportions and it is organized, well-funded and global.” Thus, website designers, architects and developers must understand and learn web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regime. “The goal is to learn the skills of an attacker so that students can become better defenders,” Danhieux said. That’s not to say human error isn’t still a big part of the problem. “You can’t say it’s just down to insecure program design,” he noted. “The bigger problem is still due to insecure passwords, over-privileged users and poorly patched systems.” Danhieux is familiar with the reality on the ground in his work for BAE Systems Detica, an information intelligence company. “We deal with incidents and security assessment results every day, and when you look at the root cause analysis, 80% of the time it was one of these issues,” he said. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Poor programming, app design bolster data breaches Jeffrey Walton (Jan 08)
- Re: Poor programming, app design bolster data breaches Paul Ferguson (Jan 08)