I am constantly amazed by the sheer lack of security in the average “enterprise” tool. I’ve looked at many over the years, and most are designed to the “soft squishy center” anti-security model. Typically:
- They do not implement any form of strong authentication, nor any facility to integrate with known strong authentication solutions
- They do not implement any form of strong identity handling, so when someone is logged into component A, it’s nearly impossible at component D to determine who is doing a particular action (see accountability below)
- They do not make it easy to implement end-to-end access control (fine, medium, and course grained), so most of the time, authZ is equivalent to “do what the hell you want to do”, allowing the golden apples to fall very easily
- Often they do client-side stupid tricks and can be trivially tickled into doing something really dumb
- Accountability is simply missing. Yes, many systems have logs, but they are business irrelevant. My personal view is that if a business person doesn’t care about a log entry, it’s not worth collecting. Accountability is the key here, not 1 GB of logs per day
- Data validation misses the business rules allowing tweaking of the golden apples, particularly on the way out. That old mainframe or ancient database is no more trustworthy than a slightly dodgy user
- Modern business scenarios (business / trading partners, extranets, etc) are very poorly done
- Encryption, if it is done at all, is of the crypto toy variety or the folks leave the keys in the door. But 95%+ of the time, it’s not even there, and yet here is all the value of the business, just lying there waiting to rustled under the covers
A counterpoint to this is forum software. Admittedly, I help write forum software in my copious spare time (read: none at all), but considering that in most cases, the value of the asset being protected is precisely zero dollars, it’s amazing just how many security controls are relevant (and useful). They do what they do well, and yet they have to implement – through repeated and automated attacks – pretty much all of the OWASP Guide’s suggestions.
I honestly wonder why folks think that “enterprise” software is somehow magically safe or scalable.