Wednesday, February 3, 2010

Walk a mile in someone else's shoes.........

After what seems to be the hundredth time of explaining to a developer that hidden form fields mean nothing, client-side JavaScript controls are great for optimization but not for security blah blah blah I started thinking that if developers performed one or two dynamic analysis tests with an experienced AppSec consultant we'd be in a lot better shape.

Consider that there is a large number of developers out there that have never actually viewed an HTTP request/response sequence. Developers that aren't familiar with what is actually being passed in the ViewState and have no idea just how easy and quickly numerical, seemingly random character sequences and other controls can be iterated through and stomped all over.

Good application security consultants are expected to have some development experience. There are subtle nuances, coding decisions and framework protections that have to be taken into account and ultimately play into not just discovery of findings but considerations for mitigation.

To summarize, if it helps me the security consultant to build applications, utilize the latest and greatest whether it be Flash, HTML 5, or simply a newer framework in order to fully grasp my chosen profession.............shouldn't this mentality be the same for developers?


Doug W said...

It totally should. But the problem here doesn't really lie with developers.

I feel like a broken record from years of presenting Web App Sec 101 in different forms, but it's a matter of priorities. Devs are not "dumb," but they have different priorities, and most of them don't place any importance on security in the same way that we don't place much importance on learning web app development. They learn as much as they are forced to, much as we learn as much as we are forced to.

The big battle is getting people to change their priorities to include awareness of the "other side," and ultimately to have people realize that they are part of the same problem. This really needs to happen at a management and decision maker level, the techies can try to drive from the server room for only so long.

But for years, I've been trying to raise awareness, and it does make a difference -- but security people need to get outside their comfort zone, and interact with devs in the dev world. After the first ten times of getting laughed at, you may find someone who will listen.

Ultimately, only systematic, economically driven changes will really make a difference. But education is key, and we need to start at any level we can get traction. Many deride chasing after the little things when the problem is really "big," but honestly, it has to be combated on all fronts, and anywhere you can raise awareness is worth it to me.

cktricky said...

Dallendoug - Do we have a list of developer focused meetings, cons, etc. that are distributed to the AppSec community whether it be via OWASP or some other entity?