Monday, August 13, 2007

Web security is moving in the right direction

Despite last posts unpleasantness, this morning I woke will a general sense of excitement and optimism. Sure we all know website and browser security is in an abysmal state - vulnerabilities can be identified in most important websites in under 20 minutes and it’s almost impossible to protect yourself from a malicious web page. However, after every conference I attend where I get to talking with people, I get the sense that things are definitely looking up.

Industry groups (WASC and OWASP) are buzzing with activity, mailing list and message board posts are frequent and informative, browser vendors are engaging with the community and asking for public comment, programmers are using modern development frameworks who are also asking the right questions about secure software, and organizational budgets now have web security line items. These are all very good signs. And think it all started with awareness. You can’t fix it if you don’t know what broken.

The only problem is progress never seems to come fast enough. It’s going to take years for before measurable improvements are made. Any browser security architecture change probably won’t come for another full version or two (Firefox 4 and IE 9). It’s also going to take at least 7-10 years before the majority of important Website are replaced by those using modern technology and/or have remediated their current set of issues. This also means there is opportunity to make a real difference – perhaps a few clever people in the crowd have some bright ideas to speed up the process.

And for those already in Web security, this also means there is job security for quite some time. ;)


Christian Matthies said...

Mhh, I see the trend. I know that more and more people pay attention on security and know some basics about it. Nevertheless the trend moves straight towards Web 2.0 which itself brings a whole lot of literally new serious threats. I think in near future an attacker will be able to cause way more damage with much less effort, just due to the way the Web will be designed.

Interesting topic to reflect about. Anyway, for the time being its good to see that things are looking up ;)

Jeremiah Grossman said...

Definitely, websites are indeed getting more security, but have never been more at risk. Funny has things work out.

Rob said...

I think one of the biggest issues with web browser and application security is that it all sounds so complicated. I get turned off it because it can get very technical very quickly, and loads of acronyms get bandied about all over the place.

I know it's hard for someone who is so involved at the coalface of sorting these problems out, but toning it down a few notches would bring 80% of the population back into a line of being able to understand, and that would be bound to include a few developers.

Christian is dead right about Web2.0, and not just because of the way the web works, but because more people will be able to create and build applications on top of already weak ones, more uneducated people. We need to be opening up to the masses on security, not just easy coding methods.

Jeremiah Grossman said...

That is HUGE problem for web security. So much esoteric terminology and lack of basic information that focuses on the high level, but important aspects. I've been trying hard to figure out how to remedy the situation in my presentations, but as a techy engineer... its been difficult, but I'll keep trying.

Naocha Pebam said...

Well its we human create it and we will even destroy it.
Creators are the crackers.
Lets keep on fighting.