20070904

Full-Disclosure Paper Edition?

Link

While the cats over at sla.ckers (and others) do a great job of finding real vulnerabilities in real applications, we don't actually spend much time calling out book authors for the same.

A couple of guys had a presentation at a recent conference (I won't mention names because they certainly weren't the first to call out a book for telling people to do stuff in a silly way) where they followed design patterns from books on web application coding and ended up with a really horrible (in terms of security) application. They were gutsy enough to name the books they used for the design patterns. But this is really rare.

It seems that while we want for developers to be trained as real engineers who apply real engineering and computer science principals to problems, many developers writing real-world, high-visibility applications were mostly trained from bad tutorials on the internet and books at the local bookstore.

I churned on the idea of setting up a full-disclosure paper edition website, modeled after the other full-disclosure sites, but then there are issues with copyright violation and such - whereas with reporting web vulnerabilities is mostly a question of ethics, I think full-disclosure in a paper edition would be a question of copyright issue and legality. While I'm all for publishers and authors being accountable for the material they publish (hey, bloggers too - call me out when I'm wrong), I can't in good conscience stand up a site that I don't know the legality of the material that would end up on it.

That being said, do we take programming examples with a grain of salt? Do we look at them with the same scrutiny as we do the sites themselves? Where a single vulnerability on a single website is genuine, it's also one person's mistake in the end result. But flaws in books are by people who claim to be experts in the field of development, published by publishers who vouch for the authenticity of that expert opinion, fool users into believing that the book indeed tells the right way to do something.

Is this all a result of the internet, where niche experts are considered authoritative on more subjects than they ought? Where somebody writes a few blog posts on a subject and are "discovered" by a publisher who needs to get some print out in that niche market? If that's the case, how do we convince developers to use a greater level of discernment when they do that google to figure out how to use a new API?

5 comments:

  1. I agree exactly with what you say and I would go as far as saying that books are probably the main cause of security flaws today.

    I have hardly ever picked up a book without finding a huge security hole. In fact I hardly bother reading books anymore and I find more high level stuff on slackers or other blogs.

    As for the legality of finding XSS holes etc, I can't see how it can be illegal unless it can be proven that the researcher had direct involvement with exploiting a user.

    If a flaw is in a website/browser but you are taking advantage of the flaw, the website or browser manufacturer should be held responsible not the researcher. IMO.

    ReplyDelete
  2. @gareth - the legality I was concerned with was reproducing the copyrighted material without the express written permission of the author/publisher - but your point about legality of any other form of full-disclosure is understood - like I said, it's more of an ethical dilemma, not a legal one.

    ReplyDelete
  3. One of the biggest problems is that security is considered a non-functional requirement... and books DO provide a small chapter on security, somewhere towards the end.
    Even if the reader reaches the chapter, it's too late by then. You cannot attain a good level of security without giving thoughts during the intital phases of development.

    Nice to see a post on this topic Sylvan. I'm sure that most of Sec researchers will agree to it.

    ReplyDelete
  4. Inspired by your article, I have wrote about an exploit that I did, in order to provide information on security research and security mindset.

    http://www.thespanner.co.uk/2007/09/05/how-i-found-the-safari-exploit/

    I'm not the best writer I know, but hopefully if people find it interesting and informative I shall do more of these types of articles.

    ReplyDelete
  5. I think there's a lot of value in this idea, and I hope you don't dismiss it too quickly. I don't know whose laws govern wherever you are, but even countries with US-style notions of copyright and litigiousness generally have some notion of Fair Use which explicitly provides for excerpting content for purpose of review.

    One of the big problems with software security is people's tendency to revisit the same mistakes over and over. When a developer learns (often painfully) about some pitfall, they may go on to be more diligent, but no one else benefits, since most software is closed to outside study.

    Books, though, can have multiple editions, thousands of readers; they can improve as problems are found and fixed. A book that starts out halfway decent or worse, but which has earnest authors and a willing publisher, could evolve over a couple rounds of errata into a real bible.

    The threats are constantly changing, so maybe it's a pipe dream to imagine Windows Security For Realz, 10th Edition. On the other hand, a lot of security issues (including those mentioned in the talk you so carefully keep anonymous - I was near the audio guys, where were you? :) are re-discoveries, by a new crop of programmers, of age-old dumbness like weak input validation and predictable ID generation.

    Give it another thought - I think it would be a valuable resource for the community at large, and hell, it would probably, paradoxically, fund itself on referrals. :)

    ReplyDelete