Why Security Programming is Hard


I find software security alarming.

Mostly because when I was working for Google, nobody had a good grasp of the concepts. Keep in mind I don’t either. I’ve read a few hacking books, and played around some with the examples. I’ve submitted JavaScript examples to the Chrome team that made the browser crash, but I’ve never come close to fully exploiting Chrome. I’m always in awe when I see some of the Chrome exploits that use 4-6 separate bugs to escape the browser’s sandbox.

Here’s why I think it’s alarming: Google is supposed to employ some of the brightest software engineers in the world, and yet, almost nobody knew anything about security. My “hacking” credentials were probably the best on my team after I read a couple of books.

Breaking into software just isn’t part of most computer science curriculums.

I realize Google employs full security teams now, and they know their stuff, but most regular software engineers don’t. And if they don’t know it at Google, what does that say about the rest of the engineers in the field?

Even in web software, the number of things a programmer can overlook is alarming.

Bear with me while I list some

Someone can break into your production machine and do a database dump of all your customers.
You might forget to secure SSH access, or you might not setup a firewall. You will probably not remember to update all your packages over time, so you’ll have software with known security vulnerabilities.
You might leave your server process running as a user with too many privileges, or your database might not be secured.
You might expose your database to the entire world because your network isn’t setup correctly.
Even if you get all the sysadmin stuff “right”, you still have to worry about dealing with user input and SQL injection attacks.
Sometimes programmers make the simple mistake of not blocking access to private data using a login.
Finally, what if you don’t use https? Then an attacker can intercept any traffic going between the user’s machine and your server.

Keep this in mind when you’re using online services.

I just hope our banks and financial institutions employ hordes of security people.

I’d recommend you assume that nothing is secure, and use dual authentication schemes whenever possible.

And FYI, I use online shopping, banking, and bill-pay as much as anyone else. I just assume that if these things aren’t secured, we’re all screwed, so I don’t worry about it.

photo credit: Big Brother via photopin (license)