We all have relatives who never see a doctor because they just don’t want to know if there is something really wrong with them. Living a left-brain life (i.e., logical, analytical), I always cringe and unsuccessfully suggest the ‘more information is better’ approach to medical care when my relatives channel their ostrich spirits. Somehow the concept of plausible deniability breaks down when thinking about the early detection potentially fatal disease. Just another confirmation of my adoption.
The more time I spend in the world of web application security, the more I have come to understand the same ‘best not to know’ mentality isn’t limited to my Thanksgiving dinner conversations. I’ve approached developers and design and development companies with the thought of pre-launch web application security scans, done on the staging server (with no concern for site damage or down time). More times than I can count, these conversations end up in an agreement that web security is essential but there is no desire to find out how really secure the target site really is. I’ve flirted with a lot of theories on why these otherwise clever folks would prefer not to know the security status of their sites, but with little real understanding. Finally, I cornered a good friend (owner of a prestigious web design company) and asked him why he kept turning down my offers. In retrospect, his answer should have been obvious. He simply said that when one of the websites that his company produced was hacked, he wanted to be able to look the client in the eye and say his company did everything in its power to produce a secure site. As long as he didn’t know his product was a security risk, he was OK - plausible deniability. My friend is an honest man, and I’ve had this same conversation with other design and development company owners as well as freelance developers; web site security plausible deniability is pretty widespread.
My friend’s reasons for turning down my offer for a free web scan (yes, no cost) on his new websites, while disconcerting, is not unreasonable from his perspective. Web application security development is hard and his company doesn’t have the correct staff needed to produce secure sites. They will do the best they can as far as security is concerned, hope his clients don’t hacked, and plead honest ignorance should a breach occur. Given this, I don’t think approaching the need for web application security from a development side (70% of all websites contain major security flaws) is going to change the way we build websites.
The other end of web application security is, of course, the client company for which the website is being created. As business owners, we all read about major security breaches happening these days and say a small “thank you” prayer when it’s not our name making headline news. While prayers have their place in the world, I sometimes wonder why client companies don’t demand security accountability when funding a new website. Where is the disconnect between seeing Sony and Lockheed getting killed in the press and flat out asking our development companies whether our new $50,000 (or whatever the price may be) website will be secure against attacks? We all know (or should know) that no website is ever 100 percent secure, but does that mean we should easily give ourselves up to the kiddie scripters who are going to run a simple YouTube described attack on our site?
My conversations with our web application development clients always include my proud statements that we focus on secure web development as well as quality web site production. While my clients seem to appreciate this fact, it is almost never an important component in our relationship. It is not as though most of my clients don’t know of security problems, we always chat about the latest headline breach; it is as though security is not just not part of their company cultures. I’ve given this seemingly security complacent viewpoint of client companies some thought and have come up with the following possibilities:
1. Perhaps the client views security as one of self-evident truths in life - like brakes on a new car or a straw with your shake at McDonalds, it’s just part of the total package. Of course, they might think, the new site will be as secure as technically possible – why would it not? Unfortunately this just supports the plausible deniability trend, where development teams are happy to just not to bring security up.
2. Many clients, even those with critical data either just don’t believe there would be a problem if they did get hacked or firmly believe web application attacks only happen to the really important sites (a topic for another day).
3. Some companies don’t live in the technology world. Their focus is their business and while they know they need a website to survive in this Internet age, the technology behind a website is just as magic as the inner workings of their cell phones. As a gentle observation, they’re clueless.
To repeat an amazing statistics: 70 percent of all websites contain major security flaws, and that number is not getting any smaller. The good news (bringing my Midwest wife’s optimism for life in here) is that there are so many flawed websites in the world, the probability of your site getting hacked is substantially lowered - so many sites to hack, so little time. On the pragmatic side, if your new website starts with and is developed with security expectations it will be so far above the crowd it has a great chance of being passed over by anyone but the professional hackers – and those guys really are too busy going after the big guys to worry about you.
My words of advice – place security as one of the stated requirement on your next website and eliminate plausible deniability as an option. If your development company commits to a secure website then you have a great chance of getting one. Or, if you're Sony or Lockheed, those afternoon prayers might be worth the time.
Related Reading: Understanding Web Application Security
IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure