04 November 2008

Functionality Beyond the Specification

The 2008 EU Summit for the Open Web Application Security Project (OWASP) has begun and I'm looking forward to learning about more of the projects - directly from the project leaders who are here. Many of the initiatives are to reduce vulnerabilities as early as possible in project development - and this means in studies, planning, specification, design and development. An area that interests me is how vulnerabilities become incorporated into an application.

Organisations spend considerable resources trying to ensure their design and functional requirements are built into the delivered web site application. Security issues often relate to functionality that exists, but wasn't asked for.

What does this mean? As an analogy, consider the domestic gas meters found in many United Kingdom (UK) homes:

Photograph showing three domestic gas meters and pipewaork mounted on a wall

Like many things, gas meters are regulated - see the UK Statutory Instrument Measuring Instruments (Gas Meters) Regulations 2006. While gas meters must comply with the legislative requirements such as certification, the functional requirements will typically include:

  • Measurement of gas usage
  • Local indication of the cumulative usage on the meter (often dials and/or a numerical display)

Some may also have the following:

  • Remote indication of usage elsewhere
  • Prepayment charging

But what other functions are there?

  • Some meters were found to be susceptible to "tipping" where flexible connectors are twisted until the meter is laid horizontally on its back rather than vertically, allowing gas to pass without being measured.
  • Meters are often in publicly accessible locations and are therefore subject to having the supply valves turned off as a prank or maliciously
  • Meters can be bypassed
  • Others have stolen the newer Electronic Token Meters (ETM) with payment credit value on the meter, which can be used at another house by stealing and moving the meter.
  • Yet others have stolen the adjoining pipework due to the scrap value of the copper.

None of these uses/functions were intended. This is similar to web sites and web applications. Good designers and developers will develop, implement and operate these defensively with a security mindset - because people will accidentally and maliciously attempt things that you never intended them to be used for.

Posted on: 04 November 2008 at 07:50 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Functionality Beyond the Specification
http://www.clerkendweller.com/2008/11/4/Functionality-Beyond-the-Specification
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2008/11/4/Functionality-Beyond-the-Specification
Requested by 38.107.179.220 on Tuesday, 7 February 2012 at 21:31 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2012 clerkendweller.com