Background: I've spent the last four years largely working in the information security realm, including getting a degree in Information Assurance and working as a cyber defense intern at Sandia Labs.
<strong>I hate the current state of information security.</strong> My other degree was in Computer Science and I've switched to be a full-time developer because the entire security world is full of people and posts like this one. Listen carefully: It does absolutely nothing to make demos and write posts that say you can hack things. "I use PHP" "Oh I can hack that!" Everyone can hack everything. You're missing the point entirely.
Want to help software become more secure? Dive into the software development process and give real, tangible, code writing advice helping developers learn what they should do instead of what they shouldn't do.
The advice in this article was "Don't use eval() and use something safer than JSON.parse()" Wow! Thanks! That's so helpful! How about something like: "When looking to parse JSON input, use OWASP's ESAPI function here http://code.google.com/p/owasp-esapi-js/wiki/SignedJSONSpeci...
Or how about some actual tutorials on how to correctly use nosql and sever side javascript? How about writing an open letter to MongoDB or whoever with the tutorials and lessons they should be teaching?
I'm sorry for the rant, but I've become enraged over four years of listening to security experts trying to help security with the most useless tactics. I understand a lot of them want the glory of showing how they hacked something, but if you really care about helping the world create more secure software, you need to understand what will actually help that cause. Boasting your hacking skills and telling people what to avoid does not help. Be progressive and proactive - teach people the correct way to do things!
Edit: I just thought of an analogy that might help express what I mean. Ever seen that show in the Discovery channel (I think it's cancelled now) where the two ex-robbers go help a family secure their house? First, one of the guys shows them how exposed they are by breaking in their house and stealing all of their stuff. Then, the other guy brings in security system tools and shows the family what they need to be doing in order to protect themselves. Usually the advice isn't very life changing and the family is happy that they can make little adjustments in order to be safer. The current state of information security is exactly like if they had that show without the second guy coming in and showing how they should protect themselves. There are a ton of security experts out there that just like to break stuff that get to go hack stuff and say they're helping people protect themselves when they offer virtually no advice or education on what to do.
Step back from MongoDB and Node.js and whatnot and look at simple Ruby on Rails and Django applications. Heck, pan all the way back to J2EE Java web apps.
Best practices for securing these kinds of applications are well known, well documented, supported by tutorials and libraries.
How many J2EE applications do you think we work on that survive first contact with a pentest team?
I don't know what to tell you about the tone of this particular blog post. I also find the tone of published security research to be grating, especially over long periods of time, most especially coupled with trade press coverage.
But please do not kid yourself. We are not a few actual tutorials and open letters (?) away from secure web applications on any stack, let alone the new ones where developers actually start projects assuming that "NoSQL" does in fact mean "NoSQLI".
It's best to think of presentations like this as having a very narrow thesis: "Developers widely assume technology X is free from application security flaws. In this presentation I demonstrate conclusively that this isn't the case. The contribution made by this research is the confirmation that programming mistakes that are similarly pernicious and damaging as SQL Injection do exist in this technology."
Saying that a fundamental different approach is needed to improve software security is radically different than saying we are "a few tutorials and open letters from secure web applications." My rant was the former.
I got "tutorials" and "open letters" from your comment.
I fundamentally disagree with the idea that publishing new ways to break software isn't the best tool we have to improve software security.
But even if I didn't, if you're going to berate someone for publishing an attack instead of doing something else, the onus is on you to come up with a plausible alternative.
Right on. These folks like to talk about how they can pown everything under the sun. That kind of talk is cheap and easy. On the other hand, writing an article with tangible ways to protect your MongoDB database would take some effort and would not be interesting to them.
It is not cheap and easy to find new vulnerability classes. The people who say things like this are virtually always members of the set of professionals who have never discovered any new attack classes at all.
It may be harder to build something good than it is to break things, but it is almost invariably harder to break things than it is to build the average thing.
<strong>I hate the current state of information security.</strong> My other degree was in Computer Science and I've switched to be a full-time developer because the entire security world is full of people and posts like this one. Listen carefully: It does absolutely nothing to make demos and write posts that say you can hack things. "I use PHP" "Oh I can hack that!" Everyone can hack everything. You're missing the point entirely.
Want to help software become more secure? Dive into the software development process and give real, tangible, code writing advice helping developers learn what they should do instead of what they shouldn't do.
The advice in this article was "Don't use eval() and use something safer than JSON.parse()" Wow! Thanks! That's so helpful! How about something like: "When looking to parse JSON input, use OWASP's ESAPI function here http://code.google.com/p/owasp-esapi-js/wiki/SignedJSONSpeci...
Or how about some actual tutorials on how to correctly use nosql and sever side javascript? How about writing an open letter to MongoDB or whoever with the tutorials and lessons they should be teaching?
I'm sorry for the rant, but I've become enraged over four years of listening to security experts trying to help security with the most useless tactics. I understand a lot of them want the glory of showing how they hacked something, but if you really care about helping the world create more secure software, you need to understand what will actually help that cause. Boasting your hacking skills and telling people what to avoid does not help. Be progressive and proactive - teach people the correct way to do things!
Edit: I just thought of an analogy that might help express what I mean. Ever seen that show in the Discovery channel (I think it's cancelled now) where the two ex-robbers go help a family secure their house? First, one of the guys shows them how exposed they are by breaking in their house and stealing all of their stuff. Then, the other guy brings in security system tools and shows the family what they need to be doing in order to protect themselves. Usually the advice isn't very life changing and the family is happy that they can make little adjustments in order to be safer. The current state of information security is exactly like if they had that show without the second guy coming in and showing how they should protect themselves. There are a ton of security experts out there that just like to break stuff that get to go hack stuff and say they're helping people protect themselves when they offer virtually no advice or education on what to do.