Tuesday, September 3, 2013

Web security, Dark Matter Developers and lowering the bar

Tuesday, September 3, 2013

I’ve had some very interesting web security discussions recently: how many rounds of various hashing algorithms should be used for modern day password storage, if response header obfuscation is pointless in a world of easy HTTP fingerprinting and some of the deficiencies in the X-Frame-Options header, to name but a few. But every now and then I see something that brings me back down to earth and reminds me of the level that requires the most attention security wise. Allow me to present Exhibit A:

Display password to screen by email address

No, you didn’t misread that. No, it’s not a mockup. Yes, you really can display someone’s password on the screen if you know their email address.

Ah, “But wait”, you say! “You need a postcode”, you say, in a last ditched attempt to defend the indefensible. Of course this is true, but equally true is the fact that down under in Australia (which is where this site’s customers reside), our postcodes are 4 digits. But rather than being 10,000 different possible postcodes, it’s 2,897 according to Australia Post. And if you know the state someone lives in then it’s a fraction of that. Know the city then it’s a fraction of that fraction. The point is that enumeration is trivial.

Oh well, one dodgy website doesn’t make the security of the internet too woeful, right? Yeah, about that:

Nexpart forgotten password feature

Well at least when some random person retrieves your password they do so over SSL, that’s some solace, right? Right? Hello?

Actually, the real point is this: very frequently, this is the level I find us addressing security at. This is the coalface of web developers standing up online presences and it’s those developers – the “Dark Matter Developers” we need to get to.

Dark Matter Developers

When we have discussions about security (and by “we” I mean you, I and the raft of other people who eagerly engage in online discussion), we are but a very small subset of the software community. I don’t mean that in the sense that there’s just a few of us engaged in this conversation here, rather there’s a very limited number of people like us engaging in any online conversation. I like the way Scott Hanselman sums it up in his post on Dark Matter Developers: The Unseen 99%:

My coworker Damian Edwards and I hypothesize that there is another kind of developer than the ones we meet all the time. We call them Dark Matter Developers. They don't read a lot of blogs, they never write blogs, they don't go to user groups, they don't tweet or facebook, and you don't often see them at large conferences.

Which conversely, by my deduction, makes us the 1%ers (except in less of an outlaw way). So here’s the point I want to make: when you have a very small portion of the overall software community actively engaged, rapidly learning and dare I say “pushing the barrier” of all things software (including security), we tend to forget about the remaining 99% and I’m wagering a bet that they’re the ones building the apps like you see above. We need to lower the bar.

The lower bar

Let me give you an example of what I mean: as many of you know, I recently pushed a second Pluralsight course. Like the first course, it’s targeted at “Intermediate” skill level developers; you need to have a grasp of the basics of web development (ASP.NET specifically in the first course) but certainly don’t need to be an expert to use the course. So out of the Top 100 courses, how many do you reckon target “Advanced” developers rather than “Beginner” or “Intermediate”? A third? A quarter? 2. Two. One, two. Of the remaining, 41 are beginner and 57 are intermediate.

Of course there’s not a whole lot of advanced courses across the entire library and that’s kinda the point – that’s not where the big chunk of the audience is. As awesome as these courses are (and for that matter, other advanced material to be found online), the point is that many of us forget about just how low the bar is set for the vast majority of developers out there. Now this isn’t meant to be derogatory, undoubtedly the rapid growth of technology as we know it is driven by the level of accessibility. Would the iPhone have been as successful as it is if it wasn’t so easy for someone to jump in and start building apps? Probably not. Are iPhone apps full of security holes? As a generality, an emphatic “yes”. And this is why we have situations like in the opening of this post.

We need more “Beginner” and “Intermediate” security education, not because developers are stupid (with some notable exceptions), but because this is a big whack of the software world that many people simply haven’t given a lot of thought to. Every time I prepare a talk I worry that I’ve dumbed things down too far but always – always – end up finding that I’ve pitched numerous concepts above the understanding of much of the audience. I’ve made assumptions about their knowledge based on my experiences which are very different to their own.

Now none of this should be at the expense of the more advanced stuff we already have – this is invaluable info and for those few individuals and organisations taking online security seriously, this is invaluable stuff. But it’s missing the Dark Matter guys – it’s missing the vast bulk of people building software on the web today. The screwy password retrieval above is but one example (ok, but two examples of the same thing), I’ve written before about similarly screwy views on security (you are encrypting your passwords with base64, right?) and if you browse back through the security tag on this blog you’ll find many more takes on protecting web apps that to you and I, are ludicrous.

It’s also up to us to use a bit of decorum when tackling security at this more basic level. I see a lot of comments on my posts and in places like Reddit (a well-known source of objective, balanced commentary), along the lines of “Duh, you’ve gotta be completely stupid to do that” and whilst stupidity is sometimes the root cause, so is inexperience or just simply focusing on other priorities such as shipping software. Derogatory and negative comments really don’t do anyone any favours here and it demonstrates the point I’m making – we’re the noisy minority and we often forget where the bar really sits when it comes to security on the web.

We’re the 1%ers; let’s not forgot the 99%, give them the support they need and above all, try to be nice about it.

Tags:

comments powered by Disqus

Leaving comments is awesome, please do. All I ask is that you be nice and if in doubt, read Comments on troyhunt.com for guidance.