During a web hacking class I recently taught, I noted that usually security testers spend more time writing up findings than actually hacking. This is also the case with code reviews; properly explaining security issues requires an awful lot of verbiage.
With all that writing going on to describe web security issues, a few new words get cooked up to describe certain "undefinable" terms. I've collected a few neologisms I've seen floated around in white papers and reports. All of the words below got a red squiggly underline in Microsoft Word. Got anything to add?
Unvalidated, adj. Referring to data which has not been checked for validity or appropriateness.
Untrusted, adj. Referring to an entity which is not under immediate control, and may be under the control of an attacker.
Canonicalize, verb. The process of converting data into its canonical form - a single, agreed representation.
Proxied, adj. That which has been sent through a proxy.
Misconfiguration, noun. A configuration setting which is incorrect, or introduces a weakness into a system
Decompilation, noun. The act of reverse engineering (decompiling) code which has compiled to a binary format back to its original source code.
Keystore, noun. A file or digital repository for storing cryptographic keys and key pairs.
Deprovision, verb. To remove from a directory.
I attended the Rich Web Experience conference in San Jose last week, along with my colleague Dean Saxe (who was speaking there on AJAX Security and Web Hacking).
I'm not much of a Web 2.0 designer, and some of the talks were lost on me. It reminded me a bit of a web services conference I went to a few years ago, where people were frothing at the mouth about how their <insert buzzword here> library was the end-all, be-all approach and others didn't deserve a second flush. Now, I'm sure if I was involved day-to-day in a Web 2.0 design project, I would be frothing with the best of them. As it was, I was just trying to decipher acronyms and count the number of iTunes, Gmail, and Twitter references.
There was, however, some interesting security conversation. A couple of other speakers, Joe Walker and Douglas Crockford, and Dean and I (well, really Dean, but I tagged along) were invited to a security Birds of a Feather meeting. Among the topics discussed were the prevalence of XSS, the problem with SiteKey and other anti-phishing technologies, and the inherent insecurity of cross-domain mash-ups.
I found the last subject particularly interesting. To me, mash-ups at first seemed a little cutesy and limited, but the more I learn about the RESTful and Semantic Web, the more I realize that we (the web service providers) should all be talking the same language, and talking openly. Of course, this convolutes the current security model of the web.
One interesting question I still don't know the answer to is who makes the trust decisions in a mashup. Do I say which services can talk to each other, and what type of information they can exchange, as a user? Or does the service get to make those decisions? I think fundamental questions like this need to be ironed out. There's
plenty
of
research going on right now about secure mashups. Summing up the thoughts of the similarly-feathered birds at the conference, I can say:
I hope we don't cause more browser divergence.
I hope we don't burden the user with security decisions they aren't prepared to make.
