Marc Maiffret is a worried man.
The chief hacking officer and co-founder of eEye Digital Security looks at the rising popularity of hosted Web applications and sees a future where legitimate bug hunters are blocked from auditing popular product for security flaws.
“How can you do an independent code audit when you have no access to the application? You look at [Microsoft’s] Windows Live or Google; everything is sitting on the server. If I want to audit an application, I have to launch an attack against Microsoft’s server, which is obviously illegal,” Maiffret said.
“It’s creating an environment where the bad guys are looking for vulnerabilities and the responsible researchers are shut out. The criminals don’t care about attacking a server and breaking a law. We’re the ones that have to worry about that,” he added.
Maiffret’s eEye is a noted research outfit credited with finding numerous critical vulnerabilities in Microsoft’s Windows operating system and other widely deployed products, but he is concerned that the software-as-a-service realm will lull the industry into a false sense of security.
“I’m sure Microsoft will be happy to say that no bugs have been reported in Windows Live and it’s the most secure application. But how will you ever know that if no one’s allowed to audit the code?”
Maiffret’s concern was shared by John Pescatore, senior vice president of research at Gartner Inc.
“Today I can buy software, test it and confirm for myself that it’s secure for my use. In the new world, even if Live.com is secure today, Microsoft could make changes tomorrow and there’s no way to know if I’m secure tomorrow. That’s a legitimate concern.”
While large-scale enterprises can negotiate the right to run random code audits into SLAs (service level agreements), the smaller companies that use on-demand applications to cut costs won’t have the budget to handle that luxury, Pescatore added.
To counter the absence of independent third-party audits, he suggests small to midsize businesses do due diligence to ensure service providers have documented policies for hardening the application and the operating system under the Web and other servers.
“You want to know how they are reviewing the security of scripts and the code they are integrating into the applications. Are they using intrusion detection services for the application? Are the procedures for installing security patches documented? How are they hiring the people who are managing the application? These are some very big questions,” Pescatore added.
To read more insight about on-demand software, click here.
Pete Lindstrom, an analyst with Spire Security in Malvern, Pa., said he does not buy into the theory that external vulnerability research leads to a more secure IT environment.
He pointed out that even in today’s environment, private research outfits still findand reportcross site scripting and SQL injection vulnerabilities in popular Web sites.
There have been cases in the past when security flaws have been publicly reported in Google’s Web applications, and other Web e-mail services.
But Maiffret is convinced the day will come when the growth of the Live.com model will force a rebirth of the “underground hacker” culture instead of the up-front discovery and reporting of bugs.
That, he insists, is something to worry about.
Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.