Security Bytes

Jun 11 2007   10:57AM GMT

The dangers of Web application security research

David Schneier David Schneier Profile: David Schneier

Chris Hoff at Rational Security has an interesting post up today on the problems that researchers face when looking for vulnerabilities in Web-based applications. The basic problem boils down to this: Web applications run on remote servers, not on the researcher’s machine, which means any misuse of those applications can be viewed as an attack, regardless of the researcher’s intent. This can be problematic if you make your living looking for vulnerabilities in Web applications. The folks at CSI have put together a working group to discuss this issue and the group plans to issue its findings this week at the CSI NetSec conference.

The general feeling among researchers who spend a lot of time doing this kind of work seems to be to err on the side of caution. I’ve spoken with a lot of researchers on this topic lately, and several of them have said they won’t touch Web applications at all. Billy Hoffman, a researcher at SPI Dynamics who specializes in Web apps, told me he’s constantly thinking about the consequences of each move he makes. And Ivan Arce, CTO at Core Security, went a step further, saying his company stays away from Web apps altogether, unless they’re specifically asked to look at one. In the current legal climate, this seems like the sensible approach, and it’s hard to blame the researchers for taking the cautious approach.

The question is, how will this affect the security of Web applications in the long run? Dave Goldsmith at Matasano gives us a preview of what it’s like to report flaws in this atmosphere:

Step #1: I send in a vulnerability report. I explain the vulnerability in a concise email and include repro steps.

They reply:

Thanks for the tip, David. It’s been noted.

I reply:

Can you give me some guidance on your response guidelines to security vulnerabilities? Is there a timeframe that you try and have vulnerabilities fixed by?

They reply:

Hi David,We’re always looking for new ideas and fixes to roll out in future updates but as as rule we don’t comment on possibilities or timeframes.

I reply:

How will I know when this vulnerability is fixed?

They reply:

Actually, they don’t reply at all.

Until someone finds a way to write flawless code, we’re going to need the services of vulnerability assessment companies, researchers and code-auditing tools. But if researchers have to look over their shoulders at every turn and wonder whether the FBI is about to kick in the door, it’s going to make their jobs a lot tougher.

Technorati Tags: , , ,

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: