Only as strong as the weakest link

I just read an article on secunia that is very true. A lot of vulnerabilities that are in the wild, don’t target Microsoft’s Windows or Office. They tend to target Java, Flash, Javascript in browsers and etc. This is true for years and years.

Still, I think there is something else that is the big problem in this. It’s not just that programmers write code that’s insecure. That can happen to everybody and you can’t test everything everytime. Even though we can really try with educating things like T-Map and ISTQB. The big problem is that testing costs money, customer has to pay it, but rather goes the cheap way. So to sell your software you have to compromise, especially for big software packages that contain not thousands, but millions of source code lines.

The big problem we have on this moment if you would ask me, is that we tend to integrate more and more features in one package. When you used to write an “Hello World” application 20 years ago, you wrote “Hello World” directly to the buffers of the videocard. The application would be significally less than 1kB, probably around 100 bytes if you have a terrible compiler. Now try to write such an application in Java and the result is a 1,2kB application. It’s 12 times the size. To run that application, it starts a VM and that takes several MB’s. I wouldn’t be surprised if this would take about 1MB in memory. One full MB that can be exploited. Even though all I did was write System.out.println(“Hello World”); in my Main class.

When you run an application in Windows, most of the time these are .NET applications. This takes exactly the same approach, run an application in a VM that executes the application code.

You can test your application as good as possible, but you can’t always check if by using a VM you’re not accidentally loading exploitable code. Especially when you use third-party libraries, this is probably not an option.

I think this is definitely something companies should check into. Both application writing companies, as the companies that use that software. Never trust everything you write and/or buy just because it’s probably just fine and you never had problems before. You’re just as strong as the weakest link, and the weakest link can leak all data that you wanted to keep just for the inside. Don’t push every application to everyone, don’t let everyone on your network just like that and don’t ever think you’re fully secure.

Being secure comes from making sure you’ve limited the possible exploits to a minimum.

This entry was posted in Algemeen. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>