Thursday, July 24, 2008

Can you break your own software?

Schneier talks about Kaminsky's DNS cache poisoning attack. The last few lines are inspiring.

Would you be able to tell what parts of your systems are weak in terms of security? Remember, systems are not just code. You need to think in terms of what each user can do that could be harmful (to the code, to the data, to the infrastructure, and especially, with the trend towards web-based services, to other users). What happens if there's a power failure on your db server? What happens if I maliciously overwrite JQuery in my advertising code? Can I crawl your site and write a script to try people's publicly available data as their login passwords? Can I find this info by crawling other sites? (son's name is a good one to search for). Can I use Google Maps and IP locators in conjunction with the ability to link to off-site, dynamically-generated images as my forum avatar and find your physical location? Can I easily spoof your emails? Is your captcha broken?

There are so many things that could be vulnerable that even starting to look for them could be discouraging. But, as the old saying goes, it's better to be safe than sorry.

No comments:

Post a Comment