Application Security Special Interest Group

I'm part of an expertise group at the new company where we attempt to resolve security concerns and develop new awareness on security to be integrated in the development process from the beginning of a project. The focus is not on specific things like encrypting passwords, but carries a more global nature and may lead to the development of a new service portfolio.

Tonight we have a meeting. My focus is mostly on application architecture, so very high level.

Examples of AS concerns are:

• Unwanted and unseen information leakage (see recent web2.0 developments)
• Cross Site Scripting attacks and other browser vulnerabilities
• Unwanted access
• Injection vulnerabilities
• Lack of input validation
• Insufficient testing on the security of an application
• Insufficient preparation and evaluation in the architecture and design
  

A very basic thing that isn't truly considered in many cases is that requirements are written from the perspective how something should behave. Never how something should definitely not behave. Especially in the field of security, this is where you leave a wide gap that may introduce security problems when the developer/writer/architect is not aware of certain vulnerabilities in that area.

When things develop further, I'll write more on this blog.

Back "home"...

Well, finally made it back "home". I am part of a group called IACE (Instituto Antonio Carlos Escobar) which is a group of volunteers in Recife that are concerned about the rising violence levels. It's a good idea to get acquainted with the group and subscribe and help campaigning.

The site that was passed on the list is this:

http://www.pebodycount.com.br/

It's portuguese, but one post attracted my attention. I will translate it here and you should be aware of these things before you travel to Brazil:

-----

Balanço da violência nos seis primeiros meses de 2007.
São 2447 homicídios este ano e 2301, no mesmo período do ano passado.
A média atual é de 13 assassinatos por dia no estado. No ano passado eram 12.
Maio e junho de 2007 tiveram 733 assassinatos. O mesmo período de 2006, 718.
Considerando os dados do PEbodycount sobre o mês de junho:

85 assassinatos no Recife.
110 nas demais cidades da RMR. 35 em Jaboatão.
52 na Zona da Mata. 12 em Timbaúba.
49 no Agreste. 8 em Caruaru.
43 no Sertão. 9 em Petrolina.
11 em local indeterminado.

Entre as vítimas, foram contabilizados 330 homens e 20 mulheres.
Cerca de 80% dos assassinatos foram cometidos com a utilização de arma de fogo. Não estamos aqui apenas para fazer cálculos. Por trás desses números está a nossa realidade, que infelizmente, é a traduzida por essas estatísticas como sendo muito violenta. Estamos trabalhando para fornecer um elemento vital para a cidadania: informação. Façam bom proveito.

-----

Balance of violence in the first six months of 2007. There are 2447 murders this year (up to june) and 2301 in the last year, same period. On average, there are 13 killings per day in this state. Last year the average was 12.

May and June 2007 there were 733 murders. The same period 2006, 718.
Considering the data of PEBodyCount in the month of June only:

85 murders Recife. (3 million people) 110 in other cities of Regio Metropolitana Recife (6 million people, poorer neighborhoods) 35 in Jaboatão. 52 in "Zona da Mata". 12 in Timbaúba. 49 in Agreste. 8 in Caruaru. 43 in Sertão. 9 in Petrolina. (you should be able to find these places on Google Maps). 11 of unknown locality.

Between victims, 330 men and 20 women. About 80% of muders were committed with the utilization of firearms. We are not here to do calculations. Behind these numbers is our reality, that unfortunately, is translated through these statistics as being very violent. We are working to supply a vital element for citizenship: information. Take advantage of it.

-----

Mind you, I lived here since 2004, but I sense bad changes for the worse over the past couple of months. Today for example, I saw in the news that a shopping centre got totally terrorized by youngsters when cinema tickets went half-price. It's basically a very large group of 13?-2x year olds. Lots of robberies, violent assaults, verbal abuse against shopkeepers, stealing, vandalism, you name it! The shopkeepers were forced to close down, since they were unable to do their work this way. Shouting everywhere, people throwing stuff, damage, vandalism. There were about 60 men to provide security, many of which were off-duty police officers.

The police rep was interviewed at the same day and they saw no particular reason for concern and reinforced that the shopping center was as safe as normal "aqui há segurança sim".

Overall, people have already commented that this state is becoming (or has become), based on statistics, more violent than the state of Rio de Janeiro. Rio actually being the city that is most known for drug trade and illegal fire-arms.
(see "Cidade de Deus" for example).

FaceBook. The new web?

Web 2.0 and YouTube gave us "user-generated content". It is where we post our videos, audio, photos, text, blogs etc. online for everyone to see. 90% of everything is junk (maybe like this blog :).

The other 10% is funny, interesting, insightful, challenging, or whatever. Some later developments are new ways to play around with that content or host even new things that people didn't think of before. There are a million ways for example that we can interact with one another. Yahoo Pipes is all about processing news and information and delivering it to you through a kind of processing pipe.

FaceBook is slightly different. You can inject content and pictures on a simple level, but you can also host embedded applications integrated with FaceBook. FaceBook is a bit like an existing portal on the web somewhere and then you can request your services to be integrated through this portal and use their API to interact with other services of FaceBook. If you consider "infra-structure", this is what FaceBook provides. You provide immediate business logic that is hopefully new to everyone.

Here are examples of this new kind of thing. The previos link shows the reasoning behind FaceBook, which sounds very interesting.

One of the last lines reads:

the Facebook Platform is primarily for use by either big companies, or venture-backed startups with the funding and capability to handle the slightly insane scale requirements.

Yes. If something is really successful and with the current efficiency of our social networking capabilities, "novelties" travel through our network at an insane speed. Not necessarily faster than general broadcasting, but there's also no filtering by a third party in the case of broadcasters. It could be that a 3rd party through other interests decides to downplay or diminish a certain event, which, when taken as "raw information" might be very important for everyone to know.

These snowball effects can increase load on any server farm in an instant. If you manage to get your company's link on CNN, BBC or Slashdot or any other large site, you'll certainly be sure of a lot of traffic instantly that may last for a day or two. If you consider social networking sites where people might actually return daily, if the services provided there are really good there is an exponential growth pattern and insane growth requirements. Just ordered that big iron? The next day you'll order 10 more. Whoops, your bandwidth is running out. Whoops, the firewall got attacked. One angry user just launched a bot-net attack on your servers.

Infrastructure, infrastructure, infrastructure and lots of investment, instantly. And on the business side you need to keep things interesting, or the network will quickly drain out. What happens when another site comes up that offers similar services and something new that you didn't think off? Is there any sense of "loyalty"? You're not talking to individuals necessarily. It would be interesting to see how individuals behave as part of a social networking site. Do they exhibit more a kind of "flock" behaviour (they go where "the rest" goes?) or are their actions still based on individual decisions?

If we can recognize "flocking behaviour", this may be good when the business grows... but wow, it can be very bad for business if the flock heads the other way.. there is no stopping it!

Here is another interesting post on one of the facebook blogs:

There is a valuable lesson in all of this. There is a ton of money in developing platforms that make it easier for people to express themselves quickly and easily. Following this thread I can imagine the future value of virtual worlds such as second life where users can pick and choose everything down to their clothing, height, etc with the click of a button. Life is a story. Those applications (software as well as physical devices) that make it easier for people to share their story for others to watch unfold will be the ultimate winners when all is said and done.