There is a new meme in Web security that states we should focus the bulk of our attention on
building secure software instead of
breaking it. As Jeff Williams of Aspect Security says, we are not going to “hack our way secure.” For example, repeatedly crash-testing the same automobile without taking further action would not directly result in saving lives. However, what crashing cars and breaking software does provide is proof. Proof that seat belts and air bags are essential, just as integrating security controls within the software development life-cycle is. Without this proof, there would be no action because the costs could not be justified. At the same time, breaking things is much better at capturing headlines because its opposite, success in security, causes nothing unexpected to happen. “Nothing unexpected” obviously does not make for very interesting stories. In my view the Builder vs. Breaker meme isn’t necessarily wrong, only an oversimplification.
First its difficult, if not impossible, to future-proof software against attacks techniques that don’t yet exist. Secondly, very few organizations would justify expending resources to mitigate possible attacks they don’t respect. This was true for buffer overflows. Known for over 20 years (thanks to breakers) yet they remain an issue despite all the attention they received during the last ten. Also true for Cross-Site Scripting (XSS), SQL Injection, and Cross-Site Request Forgery (CSRF). These Web attacks, technically “known” since the late 90s, again thanks to breakers, but only a handful of researchers picked up on their potential early on. Back then few, including infosec insiders and software developers, truly understood how severe the repercussions would be down the road. All three issues and many others laying dormant are either unknown, unrespected, or unjustified to resolve -- ultimately leading to a lack of action. Fast forward ten years and one-hundred million websites, the Web security problems have become beyond pervasive and lay predominately unexploited until fairly recently.
In 2005 XSS first commanded respect when a not-so-malicious
hacker released the first major Web Worm upon MySpace that infected over one million user profiles in under 24 hours. Now XSS attacks carrying JavaScript malware payloads, including extremely convincing
Phishing w/ Superbait scams, are routine. SQL Injection, despite dozens of white papers and notable compromises, didn’t receive mainstream attention until late 2007 when malicious hackers used it to
infect millions of websites with browser-based exploit code. What about
CSRF, the sleeping giant that is every bit as pervasive as XSS? Well, we are still waiting and have no idea when CSRF will be taken seriously. Bank on the day, in the not-too-distant future, when widespread exploitation occurs. Lets also not forget about
Clickjacking, made famous due to two breakers (Robert Hansen and yours truly) in 2008. Technically “known” years prior, Clickjacking, despite all the media attention, probably caused few builders to alter their design decisions. They will wait for the malicious hackers to force them take protective measures, likely sometime after another 100 million new websites are built.
In my opinion, we have too few skilled breakers to cover all the mature technologies let alone the new ones. It took the exceptional work of clever breaker Dan Kaminsky and the media to expose the
dangerous flaws within DNS to stimulate a concerted effort towards resolution. Also recently, Alexander Sotirov and a team of researchers exposed why
Certification Authorities should not be using MD5. They took a sophisticated attack technique known years prior and turned into a reality, and in doing so justified action now rather than later. The information security landscape is littered with such examples. Now emerging technologies such as Google Android and Apple iPhone applications, Web Widgets on Facebook/MySpace/etc, Web browser add-ons, Flash, Silverlight, and so on are popping up. Even with all the security resources invested by these companies, what expert or vendor in their right mind is going to claim security perfection? The reality is as long as software bugs and design flaws exist, this is how builders, breakers and malicious hackers will interoperate.
Builders build software, which gives breakers something to break. Breakers break software, a defensive sanity checking process, and provide insights into what attacks are theoretically possible. Notice I said possible, NOT probable. A slight, but extremely important distinction. This is why conferences like
Black Hat and
Defcon exist, to expose forward thinking people to the most cutting-edge issues that could possibly be used in the future, even without a guarantee of later exploitation. Then at some point malicious hackers hack said software, making what was previously possible probable. This probability justifies action to mitigate the issues, both immediately and proactively. I’m not saying this is the right way, the best way, or that we can’t do better. I’m saying this is how security of all kinds tends to work. Clearly if everyone knew back then what we know now about XSS, SQL Injection, CSRF, DNS, and MD5 we might have done something sooner. Hindsight is always 20/20. As its been said, "life can only be understood backward, but it must be lived forward."