7
Dec

Do as I Say…

   Posted by: Joshbw   in Secure Development

Add Comment

An old and well worn addage is “Do as I say, not as I do”, generally in a fit of hypocracy when the listener is asked to ignore the example being set by the speaker. The fallacy of that statement was addressed by the series of “I learned it by watching you” advertisements trying to drive home the point to parents that children are more likely to learn from example than from what the parent says.

In the Applications Security space we are big fans of telling developers what they should and shouldn’t be doing in order to produce secure applications, which is all well in good so long as we are not violating those very same instructions within our own properties. If developers are visiting their enterprise’s security portal and see examples in practice contradicting the secure coding and design standards on display on the very same portal, it completely undermines those standards.

Having raised this more than once and been given a liteny of excuses of why it is acceptable (there isn’t anything of value on this website, we wanted to get the content up now and we can always go back and fix the problems, it is only for internal employees anyway, etc), the same excuses that developers of any other project will put forth for why they don’t need to build security in for this release, I really wonder about the effectiveness of the message the application security community is trying to convey. If we can’t even get our own organizations to embrace our suggestions, obstensibly folks that “already have the religion”, what is our hope of getting converts to that message elsewhere.

So for various security organizations, the risk profile of your application is not an acceptable excuse to ignore your own security recommendations; if you are not going to abide by your own mandates do not bother asking others to do so. “Do as I say, not as I do” is a very ineffective strategy. Developers WILL notice your lapses and no amount of trying to create a justification of such a lapse based on the risk profile of the application in question will buy you any crediblity to restore that which was just lost. The risk is not to the confidentiality or integrity of the application, but rather to the integrity of the message the security organization hopes to convey. Even if the underlying message is completely valid, a kid being told by a parent presently working through another pack of cigarettes for the day isn’t going to buy that they themselves shouldn’t smoke.

And a special message to OWASP, the same applies to you, and your various caveats throughout your website do not make it ok to ignore your own advice. Saying

“You may enter a privacy password below. This provides only mild security, but should prevent others from messing with your subscription. Do not use a valuable password as it will occasionally be emailed back to you in cleartext. “

when subscribing to a mailing list is not OK. It doesn’t matter that there is little security risk even if someone does compromise the password – the entire point of this post was to establish that security risk is not the only consideration. You undermine your message when you choose the easy route – why should I hash my passwords when it is obvious OWASP, whose job is communicating security, doesn’t think it is important that they do.  Similarly, I think it would be great if you set “AUTOCOMPLETE=off” on your login form, like you suggest in your various coding recommendations, and similarly switch to a generic message if either the username or password is wrong, rather than telling me that specifically the username or password is wrong. Incidentally, MediaWiki would be all the better if you had those changes adopted into their mainline branch, which is the least you can do having leveraged the project.

~ Joshbw

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Live
This entry was posted on Monday, December 7th, 2009 at 5:58 pm and is filed under Secure Development. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

4 comments so far

Michael Coates
 1 

Joshbw,
OWASP is a non-profit organization completely run by volunteers who have the passion, skill and interest to pursue a particular area of application security for the betterment of everyone. As such, particular areas of OWASP have prospered due to a collaborative effort of generous volunteers.

It sounds like you definitely have the passion and skill in this area and have highlighted an area which could be enhanced. Would you like to take the lead here and help the OWASP mission?

-Michael

December 8th, 2009 at 1:44 pm
Jeff Williams
 2 

Thanks Josh! I think your basic point is right, and we should eat our own dogfood.

Please remember that OWASP is an an all volunteer organization operating on a shoestring budget. We *have* given considerable support to a huge range of open source projects, including MediaWiki, Spring, Hudson, and many others. You should know that we have invested pretty heavily in the security of the OWASP site, with hardening, patching, configuration, custom plugins, etc… but there’s obviously more we can do.

In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good. Nevertheless, your point about the risk to the integrity of our message is a good one.

So I have to ask – how about working with OWASP and MediaWiki to get the changes you want implemented?

Thanks!

December 9th, 2009 at 9:55 am
Joshbw
 3 

Hey guys, do as I say, not as I do… and indeed, casual hypocracy is hard to combat. As I was writing this I certainly realized I was passing the buck. The security edge open source has over proprietary is that anyone who notices a problem can fix it (I think that is balanced by the fact that blackhats who have no intention of fixing a problem have a bit easier time finding them with access to the source), and indeed since I notice the problem I could certainly fix it myself. I plead hardware failure as an excuse, as my personal dev box is toast at the moment (come on generous tax return, Daddy needs a new computer) but I have gone and open bugs with the MediaWiki Project. In general though, as a consumer of multiple OSS projects myself I should do a better job giving back – they may be free of cost, but I really should recognize a level of obligation as a result of my use regardless.

In terms of OWASP, the resources the organization provides are ones I have refered a multitude of developers to, and have in turn contributed to several pages, but certainly considering the utility it has provided me I owe some more back its way.

In the early years of OWASP, we spent almost all of our time working on building an uber-secure CMS, at a *serious* cost to actually achieving our mission. So I think there’s an important lesson for developers here that security is not black-and-white. You always have to balance the cost to the business against the investment in security…and if that’s what developers take away from the OWASP site then I think we’ve done something good.

Indeed that is something I fully understand. Security is just one business need among many, and the business needs to balance competing needs. I think an underlying message to my post is that security teams need to be reasonable in their security pronouncements – all to often security professionals like to speak in absolutes as if security considerations are on a higher pedistol when at the same time they implicitely understand that they themselves are weighing the security of their own properties relative to the other business considerations of their proprerties. In general I think those of us in the enterprise are obligated to live our examples – in our own projects find the right balance of security versus other considerations (or even security versus security. Often confidentiality, integrity, and availability are competing rather than complimentary concepts) and use that to inform our educations of the rest of the enterprise.

December 9th, 2009 at 11:38 am
Joshbw
 4 

Incidentally, to further blemish myself, one thing correctly pointed out in the mediawiki bugzilla discussion that I *should* have thought about myself was that in terms of the verbose login messages, a change is pointless. There are numerous ways to discover valid user accounts, intentionally in the design of the application, so when it comes down to it it matters little that you can do so on the login page.

Thus my complaints in that regard appear quite silly.

December 9th, 2009 at 11:47 am

Leave a reply

Name (*)
Mail (will not be published) (*)
URI
Comment

Back to top