tags:

views:

97

answers:

3
+3  Q: 

How can security in software be made really simple ?

Often, I am told that Security functions are not available at a level of abstraction that a developer with little security knowledge can use them. What changes will the developers want in their developement environment say for Java that will make securing their software much easier than today.

I am looking at new ways like providing configurability at the level where the programmer just has to declare the security function he desires and the level he wants and only really power programmers will need to go and do something really extra.

So 2 part question - what services will you want as a developer and how would you like it to be integrated into your IDE (your development environment) so that you can easily use it.

+4  A: 

where the programmer just has to declare the security function he desires

That's like asking "What type of scalpel can I buy so I don't have to learn doctorin'?"

You can't.

The issue of "security" covers a very broad range of concerns. You don't just "turn on security" and it's done. Security issues involve guarding your software from an ever-growing number of malicious behaviors.

At the root of it, computers have to let people do things. To give users that freedom, people will always find ways of getting into things they are not supposed to get into. The people who write operating systems, frameworks, and development environments can patch holes and abstract away some of today's security concerns but new ones will always be developed. Daily. It's a moving target.

Security is complicated because you have to know what types of vulnerabilities your application can be subject to. The only way to learn that is through vigilant study and experience.

You can't just flip a switch.

Robert Cartaino  2010-01-11 22:57:10
Security is not a product. :-)
Jesse Weigert  2010-01-11 22:57:50
To be honest, you're wrong. Your answer is the 'easy' way out. Language designers, OS designers, API designers have been doing this type of thing for years, but you don't recognise it. You use SSL in your apps; you aren't writing a DH key exchange system yourself. Why? Because the HTTPS protocol was invented by someone to make *your* job easier, and *your* communication secure, by switching on a switch. I hope that one day people get over this simplistic view and accept that things *can* be done easier, and all it takes is a little work and a lot of thought.
Noon Silk  2010-01-11 23:07:20
@silky: Security spans much, much more than cryptography alone (unfortunately). Cryptography can be implemented with libraries; security is a process and is much harder (impossible?) to implement with tools. If developers stop thinking and only rely on libraries and protocols, we can be sure that software security will never improve.
molf  2010-01-11 23:17:15
molf: Again, the same comment applies to you; this is a simplistic view and ignores all the work of the existing libraries that make your day-to-day apps more secure. Please see OWASP ESAPI, and my other post in this thread, describing exactly how the development of a secure api (i.e. fully context-aware) can work. It is a disservice to ourselves to just brush it off and say 'Too hard, impossible,' and not actually *think* about it.
Noon Silk  2010-01-11 23:20:17
@silky - No, I agree. *Past* security problems *are* often solved. Memory managers protect us from exploits from buffer overruns, future web frameworks will probably obliterate XSS. There's SSL, UAC, encryption... today's security concerns being abstracted away. But my main point was that doesn't make security "really simple." Many vulnerabilities come from completely valid actions. New exploits are invented. It sounds like the original author was asking what needed to be done so developers could just "declare security," not worry (or understand) about this stuff and just add the good stuff.
Robert Cartaino  2010-01-11 23:48:01
Robert: No, vulnerabilities *do not* come from valid actions; they come from actions that shouldn't be allowed in the first place. Exploits aren't "invented" they are "discovered". You can't just "magic" something up out of nothing; it comes from identifying a flaw in an implementation or protocol. Security is not magic, vulnerabilities are not magic, and you *can* make it easier, and in fact, it IS made easier, in all the languages we use (to varying degrees of success). It's naive to think otherwise, and not helpful. The OP may be idealistic, but the goal is a nice one, and achievable.
Noon Silk  2010-01-11 23:50:53
A: 

The more I think about it, the more I realize that what you want actually exists. Programmers tell the computer what they want it to do in a very specific manner, using well defined languages. The computer is expected to do exactly what the programmer dictates, within the definition of the language. If the programmer wants security, s/he can already tell the computer to act in a secure manner - such as using String classes in C++ to avoid buffer overruns with char arrays.

Of course, this isn't enough. Programmers still get things wrong, so language designers try to help with things like Java. In Java, buffer overruns are much harder to exploit beyond a simple application crash (char[]c = new char[1]; System.out.println(c[10]);).

But that's not really enough - the compiler can have bugs that will insert overruns, or the virtual machine may have such bugs. And other vulnerabilities will exist - like bad permissions on files, or exploitable race conditions (aka TOCTOU).

As we find vulnerability types, we can take steps to prevent them (developer training, new language features, new compiler features, and new OS features), and we can take steps to identify them (dynamic analysis, source code analysis, binary analysis), but we can't eliminate all bugs. This is especially true as new technologies come into play (once XSS and SQL injection were understood, developers started introducing LDAP injection).

atk  2010-01-11 23:00:42
A: 

OWASP is trying to do this with it's ESAPI project.

The best way for security to work is to have it built into the API, with very context-aware, context-specific programming methods. This is what SqlParameters do, in .NET, and similar things in other languages (they grab as much context as possible; types of variables, and so on, and perform validation).

If you want to get involved, you can probably get in on the OWASP action, as long as you are motivated.

The best way to do security is to let someone else do it, and follow the API and instructions to the letter. But also, you need to have significant trust in the people doing the underlying work, and you need to stay up to date with what is happening with the libraries you use.

On that last point, you also need to stay flexible. If it so happens that a vulnerability is discovered in your underlying system X, then you may need to update or remove it completely (but most likely update). You need to have the facility to do this ASAP. I.e. to swap out hashing functions, or to change encryption routines.

Obviously, this area is complicated and interesting. I suggest to you that OWASP is a good place to get started.

Noon Silk  2010-01-11 23:03:12
My question is to see if there are higher level abstractions (than SSL libraries) that can be made available as a security component/service that make it usable by business programmers who aren't security hacks. For example, a multi-node secure channel for communication where 3 components of my application which need to have secure communication for a subset of data exchange. I can imagine a use case where at deployment time I specify 3 nodes and the specific transactions to be secured and I don't have to write any code. Seems reasonable to me.
 2010-01-13 17:11:52
I refer you to OWASP. You can't just invent some scenario and then wonder if something exists for it; you need to look it up, see what it matches, and how to do it. There currently do not exist any machines that can think for you.
Noon Silk  2010-01-13 21:22:43

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security