Thursday, February 07, 2008

Security? We'll get to that later.

There have been a couple of posts about security here, and we have seen an example of a website getting hacked in - what was it? minutes? - in yesterday's lecture.

So why do we see security and privacy problems popping up in the Web 2.0 world?
One possible explanation is that if you want to share things with others (and Web 2.0 is all about sharing), then you must sacrifice a certain degree of privacy. Also, if your code is open-source, then hackers will find exploits by merely looking at your code.

But there's another explanation: this article suggests that developers are just too eager to implement new features, and security gets neglected. This phenomenon is not new: the same thing was going on when new and exciting desktop apps were coming up, the philosophy being that the priority is shiny new features for the user, and a stable and secure back-end is merely an afterthought: something that would be nice to have, but no one will notice if it's not there.


Andrew said...

I don't necessarily agree with the commentary on open source software being inherently more insecure than a closed source approach. I think knowing your code is wide open to inspection means that you have to be a lot more security-conscious. Theres still going to be security issues, but they're not as likely to be wide open doors with easy exploits.

It also means, if you have an active project, you have oftentimes a much larger force closing vulnerabilities than you do a force trying to exploit vulnerabilities for nefarious purposes. Take Linux and Windows for instance, last year, there were more security patches for Linux than there were for Windows, and yet, Windows saw many, many more large scale exploitations of bugs than linux did by any measure.

Sorry to tangent off of your original point, but the security outlook on open vs closed source has seen that misnomer passed around far more often than I'd like to see.

Wes said...

Being a security wonk for the last 10 years, I'm going to try and stay off my soap box, but the short answer to "Also, if your code is open-source, then hackers will find exploits by merely looking at your code." is that "security through obscurity" does not work.

Kishor said...

There is no advantage or disadvantage with open source approach. However an open source project will be secure if it is being developed by serious developers Eg.(Mozilla).

I have seen many "Open Source" PHP based projects in past that were developed by people who were learning PHP. Don't expect these projects to be patched that soon. And it is true that many people use just any open source project on their site (e.g. wordpress plugins, stat counters, clocks, chat scripts).

But as far as web goes, finding vulnerabilities in both open/close source code is equally easy/difficult. Mostly you end up doing black box kind of testing to find flaws in the application. Open source does help in this process though

Yuriy Sverchkov said...

The point about open source was that if someone sees your code, they can use that information to exploit the program. Obviously, open source projects are also going to benefit from the open nature of the code and the much larger base of developers (i.e. anyone who cares can be a potential developer.) And obviously, if there's nothing to exploit, having the code isn't going to change that.