Let’s call me Anatoli.
Who am I, you ask?
I am the next guy that will try to break into your web application, steal the data, hold you as a virtual hostage and at the same time sell the data to countries, organizations, corporations and organized groups who need your proprietary data, PII, sensitive data, whatever you want to call it. I’ll get my wire transfer immediately and disappear.
You, on the other hand, will open the pouches of your financial purses and spend much money making amends to your clients, customers and the customers of your clients.
What you did not realize last month is that I am a nihilist, insurgent, agitator, social engineer, subversive, a cyber-guerrilla, a cyber-terrorist. Some of my colleagues call me a virtual resistance fighter, a rebel, a cyber-revolutionary.
I am a mutineer on the waves of the dub dub dub, sailing successfully from destination to destination. Do I want to be a Bolsheviki? Not really – just getting my name in the news is good enough for me.
To peel back the layers of a web application can be as simple as using a Zlatoust to skin an apple. Sometimes harder, serrated edges are needed (pumping servers for info using multiple threads).
My Zlatoust approach was hindered when Agile “evangelists” produced a development methodology far superior to Waterfall. But this, after careful scrutiny, produced loopholes that I found to be most productive.
Yes, with Agile:
- Quality improves because testing starts from day one.
- Visibility improves because you are 1/2 way through the project when you have built 1/2 the features.
- Risk is reduced because you are getting feedback early, and
- Customers are happy because they can make changes without paying exorbitant costs.
Yet – herein lies the devil in the details. With such a fast paced development environment, there are flaws. Agile teams do not take security seriously enough even when building systems that are accessible over the web.
I found this quote: “The interviews indicate that small and medium-sized agile software development organizations do not use any particular methodology to achieve security goals, even when their software is web-facing and potential targets of attack. This case study confirms that even in cases where security is an articulated requirement, and where security design is fed as input to the implementation team, there is no guarantee that the end result meets the security objectives.”
еда – This is the Russian word for ‘Food’. You can pronounce it as ‘Yeda’. This is fodder that will be used by me and my comrades as we continue to exploit web applications.
- How secure are your web applications?
- Do you know each and everyone that is out there?
- If you think so, when were you hired?
- Is there someone with more time at the company (not necessarily a superior) that can give you a history of web applications to check into?
- What do you really have?
Until next time my friends,