Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Plausible Deniability: The Web Security Version

We all have relatives who never see a doctor because they just don’t want to know if there is something really wrong with them. Living a left-brain life (i.e., logical, analytical), I always cringe and unsuccessfully suggest the ‘more information is better’ approach to medical care when my relatives channel their ostrich spirits. Somehow the concept of plausible deniability breaks down when thinking about the early detection potentially fatal disease. Just another confirmation of my adoption.

We all have relatives who never see a doctor because they just don’t want to know if there is something really wrong with them. Living a left-brain life (i.e., logical, analytical), I always cringe and unsuccessfully suggest the ‘more information is better’ approach to medical care when my relatives channel their ostrich spirits. Somehow the concept of plausible deniability breaks down when thinking about the early detection potentially fatal disease. Just another confirmation of my adoption.

Should Web Sites Be Tested?The more time I spend in the world of web application security, the more I have come to understand the same ‘best not to know’ mentality isn’t limited to my Thanksgiving dinner conversations. I’ve approached developers and design and development companies with the thought of pre-launch web application security scans, done on the staging server (with no concern for site damage or down time). More times than I can count, these conversations end up in an agreement that web security is essential but there is no desire to find out how really secure the target site really is. I’ve flirted with a lot of theories on why these otherwise clever folks would prefer not to know the security status of their sites, but with little real understanding. Finally, I cornered a good friend (owner of a prestigious web design company) and asked him why he kept turning down my offers. In retrospect, his answer should have been obvious. He simply said that when one of the websites that his company produced was hacked, he wanted to be able to look the client in the eye and say his company did everything in its power to produce a secure site. As long as he didn’t know his product was a security risk, he was OK – plausible deniability. My friend is an honest man, and I’ve had this same conversation with other design and development company owners as well as freelance developers; web site security plausible deniability is pretty widespread.

My friend’s reasons for turning down my offer for a free web scan (yes, no cost) on his new websites, while disconcerting, is not unreasonable from his perspective. Web application security development is hard and his company doesn’t have the correct staff needed to produce secure sites. They will do the best they can as far as security is concerned, hope his clients don’t hacked, and plead honest ignorance should a breach occur. Given this, I don’t think approaching the need for web application security from a development side (70% of all websites contain major security flaws) is going to change the way we build websites.

The other end of web application security is, of course, the client company for which the website is being created. As business owners, we all read about major security breaches happening these days and say a small “thank you” prayer when it’s not our name making headline news. While prayers have their place in the world, I sometimes wonder why client companies don’t demand security accountability when funding a new website. Where is the disconnect between seeing Sony and Lockheed getting killed in the press and flat out asking our development companies whether our new $50,000 (or whatever the price may be) website will be secure against attacks? We all know (or should know) that no website is ever 100 percent secure, but does that mean we should easily give ourselves up to the kiddie scripters who are going to run a simple YouTube described attack on our site?

 

My conversations with our web application development clients always include my proud statements that we focus on secure web development as well as quality web site production. While my clients seem to appreciate this fact, it is almost never an important component in our relationship. It is not as though most of my clients don’t know of security problems, we always chat about the latest headline breach; it is as though security is not just not part of their company cultures. I’ve given this seemingly security complacent viewpoint of client companies some thought and have come up with the following possibilities:

1. Perhaps the client views security as one of self-evident truths in life – like brakes on a new car or a straw with your shake at McDonalds, it’s just part of the total package. Of course, they might think, the new site will be as secure as technically possible – why would it not? Unfortunately this just supports the plausible deniability trend, where development teams are happy to just not to bring security up.

2. Many clients, even those with critical data either just don’t believe there would be a problem if they did get hacked or firmly believe web application attacks only happen to the really important sites (a topic for another day).

3. Some companies don’t live in the technology world. Their focus is their business and while they know they need a website to survive in this Internet age, the technology behind a website is just as magic as the inner workings of their cell phones. As a gentle observation, they’re clueless.

To repeat an amazing statistics: 70 percent of all websites contain major security flaws, and that number is not getting any smaller. The good news (bringing my Midwest wife’s optimism for life in here) is that there are so many flawed websites in the world, the probability of your site getting hacked is substantially lowered – so many sites to hack, so little time. On the pragmatic side, if your new website starts with and is developed with security expectations it will be so far above the crowd it has a great chance of being passed over by anyone but the professional hackers – and those guys really are too busy going after the big guys to worry about you.

My words of advice – place security as one of the stated requirement on your next website and eliminate plausible deniability as an option. If your development company commits to a secure website then you have a great chance of getting one. Or, if you’re Sony or Lockheed, those afternoon prayers might be worth the time.

Related Reading: Understanding Web Application Security

IT Security Resource: Justifying IT Security: Managing Risk & Keeping Your Network Secure

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

A new report finds that barely 1% of all SBOMs being generated today meets the “minimum elements” defined by the U.S. government.

Application Security

A security vulnerability identified on AliExpress, the wholesale marketplace owned by the Chinese e-commerce giant Alibaba, could have been exploited by hackers to hijack...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...