Welcome to codesecurely.org Sign in | Join | Help

codesecurely.org

Rudolph Araujo's ramblings on the world, my life, my work and oh yeah security!
Software Security – So Much For Theory

Unfortunately like most other things software security sounds great in theory but the devil and the pains are in the details and getting it right on the ground. This morning I ran into a whitepaper by a security vendor selling one of the leading source code auditing tools. The paper was quite interesting and while I didn't have the opportunity to read it entirely I did browse through it quickly and noticed an interesting side note on forced browsing. Now to get to the whitepaper you are required to sign-up for an account which probably promptly makes its way into a CRM system – nothing wrong with that of course. Except once I logged in successfully, I am provided a link to download the PDF. Turns out this link itself can be force browsed i.e. if I know the URL for the whitepaper PDFs I can bypass their "authorization" which needs me to have an account in their CRM system but still get to the resource (the PDF in this case). Mark Curphey has pointed this out in the past with the PCI standard where you can bypass their EULA. This is perhaps a more telling example since I am bypassing actual authentication, however in both cases it is security folk not getting it right which only leads to the thought "if even we – the so called security experts - cannot get it right – even in these perhaps as some would say trivialized examples – can we really expect the average developer who has a million other priorities to get it right?". Admittedly in both these cases it wasn't state secrets or credit card information at stake but still can we start getting our houses in order first? As the saying goes "People who live in glass houses, should change in the dark" ;) – let's get the details on the ground right!

Note: I have intentionally not named the company in question here since this is not an attempt at mud-slinging just a comment that software security is not easy. I have also let the company know through a friend that works for them about the issue and again this is not the most sever vulnerability you would see on Secunia!

Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!
Posted: Tuesday, April 24, 2007 11:16 PM by rudolph
Filed under:

Comments

No Comments

Leave a Comment

(required) 

(required) 

(optional)

(required) 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS