Why does forum software has more security features than “enterprise” tool chains?

I am constantly amazed by the sheer lack of security in the average “enterprise” tool. I’ve looked at many over the years, and most are designed to the “soft squishy center” anti-security model. Typically:

  • They do not implement any form of strong authentication, nor any facility to integrate with known strong authentication solutions
  • They do not implement any form of strong identity handling, so when someone is logged into component A, it’s nearly impossible at component D to determine who is doing a particular action (see accountability below)
  • They do not make it easy to implement end-to-end access control (fine, medium, and course grained), so most of the time, authZ is equivalent to “do what the hell you want to do”, allowing the golden apples to fall very easily
  • Often they do client-side stupid tricks and can be trivially tickled into doing something really dumb
  • Accountability is simply missing. Yes, many systems have logs, but they are business irrelevant. My personal view is that if a business person doesn’t care about a log entry, it’s not worth collecting. Accountability is the key here, not 1 GB of logs per day
  • Data validation misses the business rules allowing tweaking of the golden apples, particularly on the way out. That old mainframe or ancient database is no more trustworthy than a slightly dodgy user
  • Modern business scenarios (business / trading partners, extranets, etc) are very poorly done
  • Encryption, if it is done at all, is of the crypto toy variety or the folks leave the keys in the door. But 95%+ of the time, it’s not even there, and yet here is all the value of the business, just lying there waiting to rustled under the covers

A counterpoint to this is forum software. Admittedly, I help write forum software in my copious spare time (read: none at all), but considering that in most cases, the value of the asset being protected is precisely zero dollars, it’s amazing just how many security controls are relevant (and useful). They do what they do well, and yet they have to implement – through repeated and automated attacks – pretty much all of the OWASP Guide’s suggestions.

I honestly wonder why folks think that “enterprise” software is somehow magically safe or scalable.

Published by vanderaj

Just another security geek

Join the Conversation

3 Comments

  1. “Accountability is simply missing. Yes, many systems have logs, but they are business irrelevant. My personal view is that if a business person doesn’t care about a log entry, it’s not worth collecting. Accountability is the key here, not 1 GB of logs per day ”

    Couldn’t agree more Nodster. There’s a veritable shitload of wasted resource on collecting info that’s never (going to be) used.

    As well as asking “Why?” and “How” questions around each datum, it’s often worth getting a risk or legislative compliance person involved. Been to one client site recently where they were collecting (what seemed to me) the weirdest collection of stuff. When I asked why, it ended up they had gone through an extensive risk/legislative review (compared against business rather than technical ends) and found the bare minimum of stuff they needed to collect. The geeks added in a couple of other data, which they wanted to use for performance tuning purposes.

    Good post.

    PE

Leave a comment

Your email address will not be published. Required fields are marked *