Advertisement
Promo

Security threats Toolkit

Gartner: Developers must be responsible for security

Nick Gibson Builder AU

Published: 30 Nov 2007 12:43 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

At the Gartner Symposium/ITxpo last week, Andrew Walls, a security analyst at the company, shared his thoughts on how Web 2.0 affects application security.

Walls discussed how traditional desktop security measures are falling short in a Web 2.0 world and how developers need to take more personal responsibility for the security of their code.

Q: Whats the single biggest threat to applications on the internet?
A: People. I know that sounds a bit simplistic and facetious but what it really comes down to has always been the way people use applications, and the way people use data. If everyone was honest, trustworthy and truthful, then we wouldn't have security problems. On a practical level, we assume in the security business that everyone out there is deceitful, dishonest and trying to rob us all blind — so we try to secure applications as well as we can.

In the world of Web 2.0, mashups and web-deployed applications, many of the issues we deal with are actually the classic issues around security and application development — we need to make sure that the input data, ie the information that we're entering into form fields in a web page, is actually valid data — information that we want to have put into our system. And of course, the information that leaves your system is what you want to have put out.

We assume in the security business that everyone out there is deceitful, dishonest and trying to rob us all blind

Andrew Walls, Gartner

Any system that ignores those basic rules is a system at risk. If you remember a couple of months ago, there was a big hullabaloo about the [Australian] prime minister's website being hacked. That was a classic JavaScript attack that relies on people not validating input when they take data from a standard form. Now this is one of the standard forms of attack, and they still exist — that's the problem. The developer world has not done a good job at validating all their inputs and outputs, or putting clear bounds on all of the data moving through their systems.

Fundamentally those problems exist because of people — systems do whatever we tell them to, but it's people that carry out the attack, that hack the controls we put in place. The biggest problem is always going to be ourselves.

How well are these problems understood by businesses?
Well it depends on what you mean by businesses. Sitting here at the ITxpo, any one of these businesses out here on the floor understand them very, very well. But, of course, they're focused on IT, about security, and they deal with that all the time. If, on the other hand, you're working for a bank or for a car manufacturer and you talk to the business leaders in those organisations, they would have no understanding of the minutiae I was just talking about — validating and the like. Nor should they. What they need to understand is the impact on their business if those security problems are left untreated and unmanaged. They'll hire security managers and professionals to look after it for them.

What security managers need to be able to do is translate these technological and security risks into business language — into business risks. So then the business leaders can make informed decisions about their business. They don't need to know about the specific problems; that's the security manager's job. The business leader does need to be informed, and to have real data, so the executive can make the best decisions.

How well can the approach taken to desktop application security be taken to the web?
They really don't map very well to each other. To start with, desktop security is not done very well — there's a lot of changes going on there still. We're seeing a whole new class of products that we refer to as "data-leak protections". This covers things like moving data on to a USB stick or burning it onto a CD. That goes beyond identity management or making sure people have tokens for strong authentication — it's more looking at how data moves through your system and controlling that information correctly.

If I want to stop credit card information from leaving my system, either over the network or through somebody's laptop or USB stick, then I have to have software that knows what a credit card number looks like and can do things when it sees data being moved to the wrong places. That goes way beyond what most…

Next

Previous

1 2 3


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
3 out of 3 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:







Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters