Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Daniel Riedel
Daniel Riedel
Connect Directly
E-Mail vvv

Facebook Messenger: Classically Bad AppSec

Facebook offers a textbook example of what the software industry needs to do to put application security in the forefront of software development.

When Facebook removed the messaging capability from its mobile application and required users to download a separate Messenger app to chat, the social media giant ignited a firestorm of backlash over the troves of sensitive data the app collected.

Jonathan Zdziarski, a forensics researcher and self-proclaimed hacker, tweeted that the app “appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance.” He told Motherboard that it seems “Facebook is running analytics on nearly everything it possibly can monitor on your device.”

In response, an engineer, identified as ‏@lucyz, who worked on Messenger explained on Twitter that developers use all the analytics to make the app faster and more efficient. She tweeted that “Analytics showed us people were using Like stickers a bunch, so we moved that feature so people can send in fewer taps.”

Messenger engineers wanted to scoop up all that data to make the app better for users. That’s an engineer’s job, after all. But didn’t company policymakers realize that capturing so much sensitive information would alarm users, possibly increase the likelihood of data breaches, and potentially put consumer data at risk?

No, because those issues likely weren’t part of the discussion about the data collection in the first place.

As in many similar instances, Facebook’s engineers and policymakers probably didn’t consult each other during the software-building process, which made it impossible to take a unified approach to user privacy and security. A better partnership between the finance, legal, and security areas (aka the policymakers) needs to happen in the software development process.

Without this collaboration, a company risks data breaches, damage to its reputation, and lost customers. And after the scourge of recent data disasters, it’s more important than ever to bridge the gap between policymakers and engineers.

Perceptions create dissonance
One reason such isolated silos exist within companies is that engineers typically see policymakers as barriers. They don’t think policymakers understand what they do and believe that policymakers will ultimately just impede their work. It’s easy for engineers to put their heads down and build, forgetting that the software ecosystem involves everyone in the enterprise.

On the flip side, policymakers see engineers as hackers — necessary but unreliable.

A lead security practice owner recently told me, “Software engineers know nothing about security; hence, we have completely given up on them and simply assume they will be writing horrific code.”

But the reality is that both sides need to be able to work together to build a process that’s transparent. Building a piece of software isn’t simply a matter of arranging code to accomplish a task. It’s much more complicated than that, and there are serious consequences for failing to collaborate.

Apple came under fire this summer over iCloud security when nude celebrity photos were posted online. A month after the leaks, Apple implemented tougher security measures to bolster iCloud, but the damage was already done.

A reactive approach isn’t sufficient. As more breaches are uncovered and dissected, companies that handle sensitive personal data will undergo tougher scrutiny than ever.

If corporate executives don’t figure out a way to bring their policymakers and engineers together and address these issues during the development phase, the government will likely step in to fill the void. The end result will be strict regulations that do little to make the web safer or more transparent — but will instead betray the core concept of the Internet as a space to share knowledge freely and equally.

Companies must dismantle silos
There is a growing recognition that something has to change. Technology companies are at a turning point, and the organizations that are willing to break down barriers between engineers and policymakers will be the ones that come out on top.

The Cloud Security Alliance and the Software Assurance Forum for Excellence in Code (SAFECode) have partnered to promote software security best practices that can help companies avoid common cloud computing threats. The CSA has also partnered with the International Association of Privacy Professionals to host the IAPP Privacy Academy and CSA Congress, which brought together privacy and cloud security professionals for discussion around these issues. In addition, the recently announced Stanford Cyber Initiative aims to address opportunities and challenges associated with new technologies, including privacy and security.

More companies are sure to follow suit, and it all starts by getting policymakers and engineers in the same room to talk about company goals. Both sides must understand and accept that software has become an ecosystem that touches everyone in the process, and leaders must build their teams with business stakeholders working alongside engineers and designers.

Transparency is the best way to mitigate privacy concerns and reduce the risk of data breaches. By encouraging cross-discipline collaboration during the development phase, businesses can ensure they’re building products that are user-friendly and secure.

Daniel Riedel is the CEO of New Context, a systems architecture firm founded to optimize, secure, and scale enterprises. New Context provides systems automation, cloud orchestration, and data assurance through software solutions and consulting. Daniel has experience in ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2015 | 1:52:56 PM
Re: Companies must dismantle silos
I find it particulary disturbing that Facebook exhibits such flagrant disregard for building security into its messaging app.....  
User Rank: Ninja
1/21/2015 | 2:59:42 PM
Companies must dismantle silos
Very wise words, but I don't think I will be holding my breath until that happens. In too many organizations, I've seen group leaders more interested in expanding their empire and controlling everything within it. Yes, in the IT Security world, that may lead to fragmented and insecure application development, confusing and overly complicated technology deployment, etc., but those leaders are more interested in their power growth than anything else, plus they believe their strategy to be close to flawless. What really should happen is for the topmost official within the organization to hand down an edict that brings the different groups to work together for the good of the enterprise. The question then becomes "to whom is that topmost official listening?" There is a danger of taking the advice of someone within the organization, someone who had a personal agenda foremost, and therefore the advice could be tainted in their favor. If the advice comes from outside the organization, there could be the feeling that it comes from an uninformed source who does not fully appreciate the inner workings or goals of the organization. It would behoove those officials to educate themselves accordingly, but that takes time and distracts them from other activities. Now if only their tenure and compensation were to be heavily dependent on the IT security success of the organization ... then again, that is a very big if!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.