Article

No, not everybody should be a security expert

The Web would be a lot more secure if everybody was a security expert, but that's an utterly unrealistic scenario. Instead, everybody should be aware of security, should learn the basic security principles, and should know when to call in help from security experts. That's exactly what the SecAppDev course stands for. To get you started with Web security, I've included a list of useful resources at the end of this post.

Spending a week amongst developers, system administrators, technical managers and people with an even more complex job description at the SecAppDev course is always an intense and interesting experience. Hearing stories during lunch and coffee breaks about how security is handled can be either inspiring or utterly depressing, but nonetheless, they shed light on the day-to-day practice that we’re trying to improve.

From these discussions, it becomes very clear that the field has become so complex, that it is not realistic to expect everybody to be a security expert. Think about a system administrator who does not need to be a developer, and a developer who does not need to be the world’s greatest sysadmin. However, it really helps if they know enough about these things to be able to communicate, to know the limits, and most importantly, to know when they’re outside of their expertise and need to call in help. The same principle applies to security, which is exactly what’s SecAppDev’s mission statement is all about.

Practitioners should have a general security awareness within their field, especially because of the way we solve practical problems nowadays. In the past, if you encountered a problem, you solved it with the help of the documentation. Nowadays, you simply turn to Stack Overflow, where you’ll very likely find other people with the same problem, and a working solution to the problem. While the latter approach is probably more efficient, there is one important difference to keep in mind. The documentation is likely written by experienced, knowledgeable people, while an answer on Stack Overflow can be written by just about anyone, regardless of their expertise …

This phenomenon is known as Stack Overflow copy/pasting, which is great if you need to solve a configuration problem or programming error, because you get immediate results. Unfortunately, if you are clueless about security, and the poster on Stack Overflow is also clueless about security, you have a nice recipe for disaster. Allow me to illustrate with a few examples where people want to embed HTML elements in a data binding in AngularJS or EmberJS. Traditionally, this would cause a severe Cross-Site Scripting (XSS) vulnerability, but fortunately, AngularJS and EmberJS are aware of this, and prevent you from doing stupid things. There are however rare occasions that you’ll want to do something else than the default, safe behavior, so you can evade this protection, something that should only be done if you really know what you’re doing. Unfortunately, that’s not what’s being advised here, here or here.

A point well illustrated by this parody book cover floating around on Twitter

Which brings me back to the main topic of this post: does everybody need to be a security expert? I’m still convinced that that is not the case. But I do believe that it’s important to know enough about security to not shoot yourself in the foot. If you’re clueless about security, you’re predestined to unknowingly introduce vulnerabilities at some point, and you’re gonna have a bad time.

Of course, stating that everybody should aim for at least a basic level of security awareness is easy. Actually getting there is a lot harder. Fortunately, just as Stack Overflow solves plenty of actual problems, plenty of resources out there will allow you to brush up your security skills. Below are a few pointers to high-quality, trustworthy and elaborate resources on Web security, to get you started.

During my PhD, I’ve written an overview of the Web security landscape, which started out as a publicly available deliverable in the STREWS project, and was subsequently reworked into an actual book.
On this very site, plenty of high-quality slide decks and recordings from public talks are available.
The annual SecAppDev course, which is actually run by a non-profit, publishes all of its material online.
Recordings of various SecAppDev sessions throughout the previous years are available as well, and the ones from 2016 will be available in a few weeks.
OWASP, a well-known organization entirely devoted to Web security, organizes plenty of events, for which slides and recordings are available as well.
OWASP also aims to improve Web application security by hosting various projects, where you can find plenty of useful resources. Two highlights are the cheat sheets series and the proactive controls project.
If you’re looking to gain some hands-on experience by exploiting various attacks, and defending against them, there are two interesting training applications available: OWASP’s WebGoat and Google’s Gruyere

If you can think of any items that should be on the list but are missing, don’t hesitate to let me know. Should you come across other StackOverflow disasters, feel free to add them in the comments section

Philippe De Ryck 2016-03-10 BLOGPOSTS Tweet

Comments & Discussion