Saturday, February 16, 2008
Secure ECM Systems
Laurence Hart commented on testing for the unexpected where he stated that one of the responsibilities of vendors that provide systems is to make the system secure and safe to use. This goes beyond authentication and authorization, two related yet different concepts. This covers securing against unexpected acts by the user, both accidental and malicious, but didn't take it deep enough.
At some level, security isn't about making something work but instead focusing on how things may break. Likewise, the average security professional works from a perspective that most folks may never understand. Consider for a moment, that I am the CISO of a large Wall Street firm of 60,000 employees. It can be assumed that 59,995 employees come to work every single day and do their jobs with integrity and that security is probably focused on 5 individuals at any one time. Does it make it less relevant if the 59,995 employees don't understand the importance?
One thing that Laurence did state was the use of automation to help find vulnerabilities. My initial posting talked about static analysis tools which help find defects in coding. Of course, you also have to acknowledge that only 1/2 of all defects can be fixed via code as much of insecure software speaks more to bad/suboptimal design. Generally speaking, input validation can be addressed in code while vulnerabilities that exist to do latency of syncronization tend to be things that have to be addressed at design time.
I am not really worried if others choose to be offended. I do care that folks who procure software do so by ensuring that their software vendors are using automated tools and that others within the enterprise are smart enough to at least add it to their RFPs. My motivation has nothing to do with my profession but does have everything to do with being a consumer. For the record, I am on my fifth data leak and the last one came from an insecure ECM platform. My only goal is to make sure that this doesn't happen to others simply because others felt offended and believe this is a valid excuse for making their platforms less secure.
Management 101 teaches one tactic that encourages instead of stating an answer, is to start by asking a question. Many folks get frustrated with their bosses and think they are idiots when in all reality, their appearance of ignorance is on purpose. In terms of not getting the answers I seek implies that I don't already know the answer. Sometimes, I ask questions so that others can observe the answer.
One security principle that is time proven in Microsoft software is that security is sometimes the polar opposite of backward compatibility. Microsoft has some of the smartest employees on the planet yet software still gets attacked daily. If they were permitted to break backward compatibility, then things would improve immensely. Imagine if reuse of legacy code weren't required, do you believe that the products you use would be more secure?
Creation of evidence is easy but still requires someone to respond in a public manner. If you put up an instance of an ECM platform on the Internet along with appropriate disclaimers and legal stuff, I think it will emerge in a manner of minutes. Barring this, you aren't looking for evidence but something else.
In terms of Laurence and any abuse he may feel, I hope that he is cognizant that others appreciate his dedication and even though they may not leave a comment stating such, he is inspirational and helpful to many. If anyone attacks him, they will most certainly need to duckdown...