Friday, March 16, 2007

5 Stages of Web Application Security Grief

Over the past year many organizations are noticeably starting to "get" the importance of web application security and studying up on the issues, but experience doesn’t come overnight. At WhiteHat we meet a lot of different people possessing a variety of views on the webappsec world. So a couple days ago, I was sanity checking some of Bill Pennington’s (VP of Services) slides on "Five Things Every Security Professional Should Know about Website Security". For some reason the way the advice was laid out it reminded me of the Five Stages of Grief (if your familiar) because it closely mimicked the attitudes of those we encounter depending on their degree of webappsec sophistication.

Bill re-did the stages, webappsec style, and it came out pretty funny actually.

"We have firewalls, IDS, and SSL. We are Secure."

"How the heck did this get so bad?!?!?"

"We can solve this with frameworks, developer education and some scanners."

"We have so many websites and the code is changing all the time. Maybe if I leave now no one will notice."

"I guess my job just got a lot more interesting."

Bill says he’s in the Anger stage. Though, that could just be the way he is. Heh. I’d place myself in the optimistic Bargaining stage having left Anger about a year back. However, I’m starting to slowly gravitate towards Depression as I witness and write about the enormous scale of the problem. From time to time I believe I’ve encountered those farther along than I, but probably pass them off as overly cynical.

So, what stage are you at?


Anonymous said...

Where does "bemused detachment" fit in?
Most of my history has been as a web developer. I've written web sites that were pretty airtight (no XSS, no SQL injection, no auth bypass, XSRF - but nothing high-value. No, really, stop laughing.) and I've written web sites that were pretty bad. In my thus far brief auditing career, I've seen a similar range. Yeah, it's bad. It's really bad, sure. But OTOH, so are door locks, and you just sort of deal. Perhaps internet crime is primarily limited by the number of humans who wish to be criminals, but it's still limited. So, bad as it may be, it's not the end of the world. And it's possible to make sites that are secure, so it's not like the task is entirely hopeless. If you let yourself think that computer security is universally important, you're going to end up bitter and paranoid. Instead, realize that you're doing good work, and quite possibly making slow progress towards a more secure world, but don't expect to Solve The Problem.

Anonymous said...

Either the tail end of anger or the beginning of bargaining. I guess it depends on the day.

Andy Steingruebl said...

So I just read Jeremiah Blatz's comments and I started thinking about motive, means, and opportunity. Did a quick web search on this standard crime phrase and came across a nice PDF from cert:

Its an interesting question how much the internet and vulnerable systems and applications change the standard equations around security.

Insecure physical locks still require a physical presence.

One of the key pieces of fighting internet crime these days, like many other international crimes such as terrorism, is to cut off the money supply. If we make it harder for thieves to profit off the illicit activities we reduce their incentive to try it, regardless of the easiness of the initial theft.

I'm hoping that one day we can also make it riskier via prison sentences and easier jurisdictional cooperation so that we can also reduce the incentives.

It works in the physical world - we just haven't learned very well, or put in practice in the electronic world.

Maybe I just need to get the BSA guys to go after people...

Jeremiah Grossman said...

"Where does "bemused detachment" fit in?"

You might be one of those who made it all the way through acceptance. :)

"If you let yourself think that computer security is universally important, you're going to end up bitter and paranoid."


"Instead, realize that you're doing good work, and quite possibly making slow progress towards a more secure world, but don't expect to Solve The Problem."

In all seriousness that pretty close to how I conduct myself day-to-day. What really seems to be bugging me is that is become REALLY REALLY difficult to keep websites safe and secure even when one is familiar with the risks. I'm not talking about the one-off ecommerce website here. I deal more with the super large corps who have literally hundreds of websites with clued-in security guys who are asking, "now what?"

Anonymous said...

Great thing Jeremiah, yes it's so true. I guess I cannot put myself anywhere, on the one hand I care and am in state or bargaining, on the other I don't anymore and I'm in the last stage, overcome by all the threats. But when I start to feel secure some bastard releases another 0day someplace. Ghehe :)

Anyway, I guess if I did not run Linux o0n my workstation but Windows, I probably be in a chronical state of anger...

Anonymous said...

Oh that last post was from me: Jungsonn.

Sorry I don't have a blogger account.

Anonymous said...

Nice one Jeremiah, i am going to come up with 5 stages of Network Security. hahaha :)

Anonymous said...

Think yourself lucky you're not in the UK. At least you guys in the US are moving through the cycle.

Anonymous said...

Nice work, Jeremiah! I like your 5 Stages :-). This scale make web app security more interesting (I'm planning to write about it at my site).

As for myself I feel me at Acceptance stage. And I'll try to keep myself at that stage for a long time ;-).

Jeremiah Grossman said...

Glad you liked it. I think I made it all the way through while at Yahoo! on the enterprise side. Now on the vendor side, I have to repeat it. :)