WebworkersLast night Peter Bayer from Combitech held a talk on Application Security for a Network I’m affiliated with called Webworkers.

Peter is an experienced Technical Security Adviser that apart from doing vulnerability assessments, penetration tests and IT forensics also teaches application security on security courses. Right now Peter is writing a chapter about secure programming in a Swedish security book that will be published during the spring of 2009.

Reflections on Peters talk

Peters talk made me realize that we as developers can do a lot to prevent security breaches in the applications we build by just taking these matters in consideration on an early stage in the development process. It also made me realize that there’s a lot to learn about building secure applications that I simply wasn’t aware of.

A false sense of security

Far to often we put our trust in firewalls and other shell protections to do the work for us. But these merely give us an outer protection. Once an intruder is on the inside they don’t do us any good.

We also seldom take “misuse” of our application by ordinary users into account. These are already on the inside and can operate freely if we haven’t made the proper precautions to prevent it.

Application security vs Usability

One thing that I thought about was the trade-off between security and convenience. Take for example many web applications where you can retrieve your password by answering some question like, “What was you mothers maiden name”. That’s something that’s not really hard for someone to find out if they really want to break into your account. At the same time it’s convenient to be able to easily and fast retrieve a lost password. I guess what it all boils down to is to determine how important and confidential the data your protecting is.

One other thing that struck me was the parallel between how security and usability often are thought of in a development project. Often it’s not something that the customer explicitly require and therefor it’s not accounted for in the project plan. Instead it’s something that comes up at the end of a project, right before launch. “Oh, it needs to be secure (usable) as well.”

It’s much harder to implement security at the end of a project and that’s when it becomes really expensive. Peter said that security doesn’t have to be expensive. If you plan for it right from the start it doesn’t have to cost a lot. In my experience it’s the same thing with usability. It’s much cheaper to take it into consideration from the start than to do it at the end. It also gives a much better result.

Download the presentation

Peters presentation in pdf format (Swedish)

Webworkers

Webworkers is a network of people working with the web in one way or the other. Our goal is to get better at what we do by learning from each other. We also invite interesting people, like Peter Bayer, to give talks about various topics.

Example of professions that are involved in the network are developers, project leaders, business developers, designers and researchers. We operate mainly in the Växjö area in Sweden but plan to expand into other regions as well.

If you’re interested in joining the Webworkers network we have a group on LinkedIn that you can join. You can also contact me through the Contact page.