Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

10:30 AM
Daniel Riedel
Daniel Riedel
Connect Directly
E-Mail vvv

Facebook Messenger: Classically Bad AppSec

Facebook offers a textbook example of what the software industry needs to do to put application security in the forefront of software development.

When Facebook removed the messaging capability from its mobile application and required users to download a separate Messenger app to chat, the social media giant ignited a firestorm of backlash over the troves of sensitive data the app collected.

Jonathan Zdziarski, a forensics researcher and self-proclaimed hacker, tweeted that the app “appears to have more spyware type code in it than I’ve seen in products intended specifically for enterprise surveillance.” He told Motherboard that it seems “Facebook is running analytics on nearly everything it possibly can monitor on your device.”

In response, an engineer, identified as ‏@lucyz, who worked on Messenger explained on Twitter that developers use all the analytics to make the app faster and more efficient. She tweeted that “Analytics showed us people were using Like stickers a bunch, so we moved that feature so people can send in fewer taps.”

Messenger engineers wanted to scoop up all that data to make the app better for users. That’s an engineer’s job, after all. But didn’t company policymakers realize that capturing so much sensitive information would alarm users, possibly increase the likelihood of data breaches, and potentially put consumer data at risk?

No, because those issues likely weren’t part of the discussion about the data collection in the first place.

As in many similar instances, Facebook’s engineers and policymakers probably didn’t consult each other during the software-building process, which made it impossible to take a unified approach to user privacy and security. A better partnership between the finance, legal, and security areas (aka the policymakers) needs to happen in the software development process.

Without this collaboration, a company risks data breaches, damage to its reputation, and lost customers. And after the scourge of recent data disasters, it’s more important than ever to bridge the gap between policymakers and engineers.

Perceptions create dissonance
One reason such isolated silos exist within companies is that engineers typically see policymakers as barriers. They don’t think policymakers understand what they do and believe that policymakers will ultimately just impede their work. It’s easy for engineers to put their heads down and build, forgetting that the software ecosystem involves everyone in the enterprise.

On the flip side, policymakers see engineers as hackers — necessary but unreliable.

A lead security practice owner recently told me, “Software engineers know nothing about security; hence, we have completely given up on them and simply assume they will be writing horrific code.”

But the reality is that both sides need to be able to work together to build a process that’s transparent. Building a piece of software isn’t simply a matter of arranging code to accomplish a task. It’s much more complicated than that, and there are serious consequences for failing to collaborate.

Apple came under fire this summer over iCloud security when nude celebrity photos were posted online. A month after the leaks, Apple implemented tougher security measures to bolster iCloud, but the damage was already done.

A reactive approach isn’t sufficient. As more breaches are uncovered and dissected, companies that handle sensitive personal data will undergo tougher scrutiny than ever.

If corporate executives don’t figure out a way to bring their policymakers and engineers together and address these issues during the development phase, the government will likely step in to fill the void. The end result will be strict regulations that do little to make the web safer or more transparent — but will instead betray the core concept of the Internet as a space to share knowledge freely and equally.

Companies must dismantle silos
There is a growing recognition that something has to change. Technology companies are at a turning point, and the organizations that are willing to break down barriers between engineers and policymakers will be the ones that come out on top.

The Cloud Security Alliance and the Software Assurance Forum for Excellence in Code (SAFECode) have partnered to promote software security best practices that can help companies avoid common cloud computing threats. The CSA has also partnered with the International Association of Privacy Professionals to host the IAPP Privacy Academy and CSA Congress, which brought together privacy and cloud security professionals for discussion around these issues. In addition, the recently announced Stanford Cyber Initiative aims to address opportunities and challenges associated with new technologies, including privacy and security.

More companies are sure to follow suit, and it all starts by getting policymakers and engineers in the same room to talk about company goals. Both sides must understand and accept that software has become an ecosystem that touches everyone in the process, and leaders must build their teams with business stakeholders working alongside engineers and designers.

Transparency is the best way to mitigate privacy concerns and reduce the risk of data breaches. By encouraging cross-discipline collaboration during the development phase, businesses can ensure they’re building products that are user-friendly and secure.

Daniel Riedel is the CEO of New Context, a systems architecture firm founded to optimize, secure, and scale enterprises. New Context provides systems automation, cloud orchestration, and data assurance through software solutions and consulting. Daniel has experience in ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
1/21/2015 | 2:59:42 PM
Companies must dismantle silos
Very wise words, but I don't think I will be holding my breath until that happens. In too many organizations, I've seen group leaders more interested in expanding their empire and controlling everything within it. Yes, in the IT Security world, that may lead to fragmented and insecure application development, confusing and overly complicated technology deployment, etc., but those leaders are more interested in their power growth than anything else, plus they believe their strategy to be close to flawless. What really should happen is for the topmost official within the organization to hand down an edict that brings the different groups to work together for the good of the enterprise. The question then becomes "to whom is that topmost official listening?" There is a danger of taking the advice of someone within the organization, someone who had a personal agenda foremost, and therefore the advice could be tainted in their favor. If the advice comes from outside the organization, there could be the feeling that it comes from an uninformed source who does not fully appreciate the inner workings or goals of the organization. It would behoove those officials to educate themselves accordingly, but that takes time and distracts them from other activities. Now if only their tenure and compensation were to be heavily dependent on the IT security success of the organization ... then again, that is a very big if!
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
1/23/2015 | 1:52:56 PM
Re: Companies must dismantle silos
I find it particulary disturbing that Facebook exhibits such flagrant disregard for building security into its messaging app.....  
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...