How paranoid about application security is enough?
I was asked to secure my company’s software application at a previous job. I dutifully headed off to do some online research. Five hours of googling later, I realized that the concept of an “application secure” was in fact, ephemeral. A growing unease started to grow inside me. Is anything, anywhere safe?
Am I the only one that feels this way? Am I going crazy? I dig even deeper down the rabbit hole. Apparently, psychology has been studying this phenomenon for the past few decades, and while a small corner of my mind feels relieved to find out that I am not alone, another louder part of my mind worries about the fact that psychology is looking at it… is it really that prevalent?
One quote in a Frontiers paper sticks in my craw: “On balance, the weight of the evidence points to an excessive level of fear regarding information technology within society, in that the level of fear seems to be out of proportion to the actual risks.” This can’t be true, every month brings out reports of more vulnerabilities, more data breaches, more people getting defrauded, of more people getting their identities stolen.
Not so confident of academia’s understanding of the ‘real’ world, I do a quick Google search using the words “security” & “paranoia”. Immediately I find my feelings echoed on Reddit with the following post*: “So is it just me or the more you learn about cyber security, the more paranoid you are about every little action you do?” The answer provided does not make me feel better: “You learn how to accept risk. The only completely secure computer is powered off at the bottom of a line shaft broken into inoperable pieces.”
So, which is it? Are my “fears out of proportion”, or is security only achievable at the bottom of an abandoned mining shaft?
Is anything, anywhere safe?
Only a small portion of a single course (of 40 total!) from my Computer Science degree actually addressed security in a formal way. It was in this course, Computer Networking, where I met Alice & Bob innocently trying to communicate unaware of the villainous Charlie sneaking around in the middle hacking into their messages.
There I learned how to use WireShark and started sniffing packets at the local coffee shop. This sharpened my desire to pay attention in class and I diligently studied the “known knowns” of the industry, cognitively arming myself to move around with more environmental awareness in the digital space.
I started checking for security vulnerabilities on my own sensitive applications with 2FA (2-factor authentication) and preach this as the way to all I know because it is surely infallible. Right? Wrong.
I read that the 2FA SMS and OTP implementations such as Google Authenticator are often breached* by middling Charlie, and my security blanket once again becomes damp. (FIDO implementations such as Yubikeys are not vulnerable to this).
My research reveals that it is impossible to really anticipate all of the attack vectors, all of the potentially penetrable planes of any process. The monitoring systems that I had once trusted to keep my company’s system safe all of a sudden become the opposite of that*. Facebook Careers can be hacked using Word documents*. Even harmless wee CSS becomes an affordance upon which one can inject malicious js scripts*.
What really feeds my anxiety beast, though, is the fact that there are still so many dangers lurking in the shadows that I haven’t even conceived of yet. The SolarWinds attack was so effective because internal build processes behind firewalls were presumed safe. Very few ever imagined CSS could be a target either.
As a digital nomad, it reminds me of when I land in a new city, when I am still unaware of the “bad” areas, of its particular flavour of crime. Are pickpockets rampant here; are the kebabs actually chicken? I remember that time a random woman threw a cat at me, and how her kid ran off with my bag as I was shaking it off. I had never really anticipated getting ripped off in that particular way; had never conceived of it being something to be careful of.
What gave me hope, the only spark of light in all of this darkness was the fact that my boss had decided to take security seriously. She had convinced the money people that even though the process of securing a system can be both time & money-consuming in the short run, it ends up being both time & cost-reducing in the long run. She explained how with practice we could learn to anticipate obvious attacks and with creativity, we could start anticipating some not-so-obvious attacks.
What did I do after I embraced my paranoia and decided to build secure applications?
I came across Jack Rhysider’s list of 20 things he learned as a network security engineer. Reading it I see a pattern of measured precautions, little building blocks to feel prepared, to involve a team, to stay on top of matters without panicking.
I learn that I am not alone in my world of AppSec worries and that this space is rich with interesting, knowledgeable, and appropriately paranoid people. Spend any time trawling through Reddit, lurking within Twitter, and you will find people who are already on the ground running.
Poking my head out of the rabbit hole, I decide once and for all to embrace my paranoia, to make it work for me. I figure that the only way to win this battle, to create a proper offensive, is to think about it as much as attackers do and that my (un-panicked) paranoia will help me do exactly that.
Want to keep your application secure?
Start a free trial today and find out what we can do to help you to assuage your paranoia.