Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/21/2015
10:30 AM
Daniel Riedel
Daniel Riedel
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
100%
0%

Facebook Messenger: Classically Bad AppSec

Facebook offers a textbook example of what the software industry needs to do to put application security in the forefront of software development.

When Facebook removed the messaging capability from its mobile application and required users to download a separate Messenger app to chat, the social media giant ignited a firestorm of backlash over the troves of sensitive data the app collected.

Jonathan Zdziarski, a forensics researcher and self-proclaimed hacker, tweeted that the app “appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance.” He told Motherboard that it seems “Facebook is running analytics on nearly everything it possibly can monitor on your device.”

In response, an engineer, identified as ‏@lucyz, who worked on Messenger explained on Twitter that developers use all the analytics to make the app faster and more efficient. She tweeted that “Analytics showed us people were using Like stickers a bunch, so we moved that feature so people can send in fewer taps.”

Messenger engineers wanted to scoop up all that data to make the app better for users. That’s an engineer’s job, after all. But didn’t company policymakers realize that capturing so much sensitive information would alarm users, possibly increase the likelihood of data breaches, and potentially put consumer data at risk?

No, because those issues likely weren’t part of the discussion about the data collection in the first place.

As in many similar instances, Facebook’s engineers and policymakers probably didn’t consult each other during the software-building process, which made it impossible to take a unified approach to user privacy and security. A better partnership between the finance, legal, and security areas (aka the policymakers) needs to happen in the software development process.

Without this collaboration, a company risks data breaches, damage to its reputation, and lost customers. And after the scourge of recent data disasters, it’s more important than ever to bridge the gap between policymakers and engineers.

Perceptions create dissonance
One reason such isolated silos exist within companies is that engineers typically see policymakers as barriers. They don’t think policymakers understand what they do and believe that policymakers will ultimately just impede their work. It’s easy for engineers to put their heads down and build, forgetting that the software ecosystem involves everyone in the enterprise.

On the flip side, policymakers see engineers as hackers — necessary but unreliable.

A lead security practice owner recently told me, “Software engineers know nothing about security; hence, we have completely given up on them and simply assume they will be writing horrific code.”

But the reality is that both sides need to be able to work together to build a process that’s transparent. Building a piece of software isn’t simply a matter of arranging code to accomplish a task. It’s much more complicated than that, and there are serious consequences for failing to collaborate.

Apple came under fire this summer over iCloud security when nude celebrity photos were posted online. A month after the leaks, Apple implemented tougher security measures to bolster iCloud, but the damage was already done.

A reactive approach isn’t sufficient. As more breaches are uncovered and dissected, companies that handle sensitive personal data will undergo tougher scrutiny than ever.

If corporate executives don’t figure out a way to bring their policymakers and engineers together and address these issues during the development phase, the government will likely step in to fill the void. The end result will be strict regulations that do little to make the web safer or more transparent — but will instead betray the core concept of the Internet as a space to share knowledge freely and equally.

Companies must dismantle silos
There is a growing recognition that something has to change. Technology companies are at a turning point, and the organizations that are willing to break down barriers between engineers and policymakers will be the ones that come out on top.

The Cloud Security Alliance and the Software Assurance Forum for Excellence in Code (SAFECode) have partnered to promote software security best practices that can help companies avoid common cloud computing threats. The CSA has also partnered with the International Association of Privacy Professionals to host the IAPP Privacy Academy and CSA Congress, which brought together privacy and cloud security professionals for discussion around these issues. In addition, the recently announced Stanford Cyber Initiative aims to address opportunities and challenges associated with new technologies, including privacy and security.

More companies are sure to follow suit, and it all starts by getting policymakers and engineers in the same room to talk about company goals. Both sides must understand and accept that software has become an ecosystem that touches everyone in the process, and leaders must build their teams with business stakeholders working alongside engineers and designers.

Transparency is the best way to mitigate privacy concerns and reduce the risk of data breaches. By encouraging cross-discipline collaboration during the development phase, businesses can ensure they’re building products that are user-friendly and secure.

Daniel Riedel is the CEO of New Context, a systems architecture firm founded to optimize, secure, and scale enterprises. New Context provides systems automation, cloud orchestration, and data assurance through software solutions and consulting. Daniel has experience in ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/23/2015 | 1:52:56 PM
Re: Companies must dismantle silos
I find it particulary disturbing that Facebook exhibits such flagrant disregard for building security into its messaging app.....  
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
1/21/2015 | 2:59:42 PM
Companies must dismantle silos
Very wise words, but I don't think I will be holding my breath until that happens. In too many organizations, I've seen group leaders more interested in expanding their empire and controlling everything within it. Yes, in the IT Security world, that may lead to fragmented and insecure application development, confusing and overly complicated technology deployment, etc., but those leaders are more interested in their power growth than anything else, plus they believe their strategy to be close to flawless. What really should happen is for the topmost official within the organization to hand down an edict that brings the different groups to work together for the good of the enterprise. The question then becomes "to whom is that topmost official listening?" There is a danger of taking the advice of someone within the organization, someone who had a personal agenda foremost, and therefore the advice could be tainted in their favor. If the advice comes from outside the organization, there could be the feeling that it comes from an uninformed source who does not fully appreciate the inner workings or goals of the organization. It would behoove those officials to educate themselves accordingly, but that takes time and distracts them from other activities. Now if only their tenure and compensation were to be heavily dependent on the IT security success of the organization ... then again, that is a very big if!
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11873
PUBLISHED: 2019-05-23
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, to...
CVE-2019-12295
PUBLISHED: 2019-05-23
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.
CVE-2019-12293
PUBLISHED: 2019-05-23
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...