Human Realities in Security Engineering

A few days ago a co-worker was running into some issues evaluating some code.  The code was relying on an older framework and he was trying to come up with ways around it’s built-in security measures.  It was fairly successful at stopping direct attacks– so he asked the group for some thoughts.  After some discussion I asked him– “wait, when was this framework written?”  Then, once we had that answer, “What do we know now about security that they didn’t know then?”  Frameworks that are abandoned don’t often evolve.  It’s rare to see things get patched, and even when they are– it’s usually by a small handful of people who might miss something.  It serves to reason that there are likely lots of newer vectors, encodings and bypasses that have come into existence after abandoned code was last supported.

Shortly afterword he got past the controls in place.

Remember– developers are people.  And although we have these high ideals about security vulnerabilities, the reality is you only need to be better than the person (or people) who developed the software.  If you can get into their head a bit about what they were or are likely to know and expect, you can make some pretty decent gains in understanding how to get past it.  Attack their assumptions, their expectations, and their dependencies and you are more likely to get past them.

Though I haven’t really found a comprehensive list of modern attack vectors by year– you might be able to review exploit-db or some other vulnerability listing to look up language and even similar frameworks by year.  You could also go look at defcon talks and see what people released the years afterword 🙂

Just some quick thoughts…


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: