or Dishwashing and Phone Handling Optimization at Foundry Building
Preface: This talk was intended to be a broad overview of what application security is, what it looks like in the wild, how it applies to different career fields within an agency environment and offer some introductory ideas to plant some seeds that people can investigate on their own. All slide imagery as a result of GIS, property of their respective owners and not necessarily applicable to whatever is being talked about at the time.
A little background about myself: I graduated from Gonzaga in the late ’90s with a degree in Business Econ. The biggest thing I took from that was my distaste of that life (nothing personal, it just wasn’t for me!).
Computers have always been my thing, and after a few years of re-educating myself in the ways of the web and server management (in the olden times around 98, classic ASP and access databases yikes), I had the chance to start working in the ad world. Fast forward 10 years and I’m still doing my thing but with more exciting technologies and clients!
One of the challenges for a Backend Dev/IT guy for ThinkLabs presentation is coming up with a topic that would be applicable to the 40+ video producers/graphics designers/animators/ActionScript coders and 2 server devs at 14Four and Seven2 and keep them from falling asleep!
Well, what’s more fun to read about than hacking? Let’s go!
Application Security, what is it?
Basically it’s keeping people out of your stuff, or failing that, limiting their ability to make you look like a jerk. Now, each of these is basically a career path in today’s world and our larger clients will typically have rooms of people specialized in these fields. It’s good to know what kind of technical perspectives people may be reviewing your work from.
Threat modelling – Taking your project and looking at it from the perspective of someone with ill intent. [wiki]
Secure Design, Coding, Deployment – Not just designing or building the good parts, but accepting and handling as many bad parts as you can. [wiki]
Security Testing – Testing your project not just to make sure the expected process works, but also that you’re preventing vectors for people to kick over your sand castle [wiki]
Incident Response – Who/What is your plan if something bad happens? How long does that hold true for? [wiki]
Vulnerability Management – How do you repair or respond to issues if and when they appear? [wiki]
Risk Management – Prioritizing and understanding the potential and actual avenues for trouble of your project. This is especially important for smaller ad agencies, as there way more vulnerabilities in the wild than can be covered by limited budget, timeline and expected experience. [wiki]
What is an intrusion?
These are the three main categories of security breach as researched by OWASP in 2011. [link]
The dangerous mime pictured is not an official threat, but you should still stay vigilant.
The consequences of a security breach are embarrassment of varying affect to the client and or agency. The results are put into a clearer picture with the increased profile and drama based around hacking in today’s mediascape.
The Playstation Network hack was the one of many high profile hacks this year which brought into question how secure personal private information really was. [huffpo] This was blown out of the water shortly thereafter by a barrage of breaches against many different locations, seemingly at random. [pbs hack via huffpo] [lulzsec timeline]
The important thing we must take from this is that we can never predict if or when one of our properties or clients will get caught in the crossfire or be otherwise targeted by malcontents. Even if we work on a tiny little microsite, if it and 10 of its unrelated neighbors under the same client umbrella get taken down and have their “secured” personally identifiable information data published online, you’ve help paint a poor picture of a client which doesn’t help your agencies relationship!
How do these break-ins happen?
SQL Injection [wiki] is still a very prevalent vector, which can cause quite a bit of problems for unprepared websites.
Traffic that isn’t run through SSL (https) is up for sniffing, making it possible for your users to have their sessions (and subsequent accounts) hijacked. Firesheep was recently in the news because of how easy it made it for non-hackers to perform this kind of attack. [wiki]
Bypassing hardware/OS defenses of under-patched systems is always an issue for sites with a longer life-cycle, and can possible require a service agreement if you are responsible for project hosting.
So all of this is awful, what can we do about it?
We do the best we can because budgets are limited, time is of the essence and sometimes security runs contrary to the experience we want a project to deliver. Also, to better ensure that security is prioritized on a project, we redistribute the load so that everyone shoulders a little bit of the burden throughout the concepting and development lifecycles of the project.
Designers, developers, testers and those responsible for hosting can take a bit of the work of making sure the project is as secure as possible, avoiding any late-game surprises that may pop up due to time-line crunches or budget concerns.
To conclude, all we really know is that intrusions are an inevitability and the best that an agency can do is work within the confines of its budget and timeline to protect it’s delivery as best as possible.
To get the most security “bang for the buck”, a typical boutique-style agency without dedicated testing or security teams must share the burden in order to maintain the best balance between security and usability.
*Note: It’s worth mentioning that the last bullet point under managing your risk is in the context of diligently working to find and fix issues and not encouraging some sort of Goldman Sachs coverup shenanigans.
After stumbling upon this write-up of the Physics of the Crane Kick, it really hit home that there’s no predicting what people on the Internet will do at any given time. Ignoring or neglecting security merely advances your inevitable chances to a breach that much closer to 100%.