The 2008 EU Summit for the Open Web Application Security Project (OWASP) has begun and I'm looking forward to learning about more of the projects - directly from the project leaders who are here. Many of the initiatives are to reduce vulnerabilities as early as possible in project development - and this means in studies, planning, specification, design and development. An area that interests me is how vulnerabilities become incorporated into an application.
Organisations spend considerable resources trying to ensure their design and functional requirements are built into the delivered web site application. Security issues often relate to functionality that exists, but wasn't asked for.
What does this mean? As an analogy, consider the domestic gas meters found in many United Kingdom (UK) homes:
Like many things, gas meters are regulated - see the UK Statutory Instrument Measuring Instruments (Gas Meters) Regulations 2006. While gas meters must comply with the legislative requirements such as certification, the functional requirements will typically include:
- Measurement of gas usage
- Local indication of the cumulative usage on the meter (often dials and/or a numerical display)
Some may also have the following:
- Remote indication of usage elsewhere
- Prepayment charging
But what other functions are there?
- Some meters were found to be susceptible to "tipping" where flexible connectors are twisted until the meter is laid horizontally on its back rather than vertically, allowing gas to pass without being measured.
- Meters are often in publicly accessible locations and are therefore subject to having the supply valves turned off as a prank or maliciously
- Meters can be bypassed
- Others have stolen the newer Electronic Token Meters (ETM) with payment credit value on the meter, which can be used at another house by stealing and moving the meter.
- Yet others have stolen the adjoining pipework due to the scrap value of the copper.
None of these uses/functions were intended. This is similar to web sites and web applications. Good designers and developers will develop, implement and operate these defensively with a security mindset - because people will accidentally and maliciously attempt things that you never intended them to be used for.