Pwn20wn Win!...

Earlier in my blog I mentioned the hacking contest named Pwn2Own. Well this article about Pwn2Own shows you just how easy and fast it is for focused minds to write code that can exploit a vulnerability. While the contest's main focus was on browsers, for example Internet Explorer, Google Chrome, Mozilla Firefox, it just goes to show you how important security should be for any software.

I find it rather amusing that the contestants found vulnerabilities, and programmed the exploit in as little as one hour. What is scary is that the target of the exploits were web browsers, major names in the industry, that almost everyone uses. It brings to light how important solid code conventions are, proper programming practices, and astute analysis of risks in all things software design. How is a product supposed to be the 'best' in the business if it has as many holes as Swiss-cheese? It's also fairly interesting, the article sort of suggests it, that software designers do not have the philosophy of security first. From what I understand is they merely wait until an exploit is made public before deciding to make patching that vulnerability a priority.

What I mean to say is software engineers need to have a intuition about their code. I feel as though there needs to be some kind of expertise involved, some shooting down of ideas because they pose a security threat, and also some more emphasis placed on solid code to prevent cheesy hacks from being possible. Companies are in my opinion too focused on being better, and improving on a product. When your product is currently full of holes, how is that not at the top of the queue? 'If it ain't broke don't fix it?' If the screws are loose, it's not broken yet, does that mean you don't need to tighten them up a bit and maybe use a little thread lock this time? I think not.

I feel like it's an perpetual cycle of crap upon crap. You can't build your house on a shoddy foundation so stop building your software additions on top of sub-par products. Make it a priority! It's impossible to fix all the bugs, and some bugs are only noticeable once they are exploited or brought to light, however most bugs are generally fairly obvious. My cynical assumption is that some software design teams will say “Oh I see how that could be a problem but nobody has done that yet so it's not really an issue” To me this is a huge mistake, incurs massive technical debt in a product, and ultimately will lead to more work in the future.

Also, as I have mentioned before, a belief that security through obfuscation is acceptable is a misguided and detrimental one. I am glad that Pwn2Own offered cash prizes for finding exploits, and I am glad that it brings the issue of design priorities to light.

"We created six different exploits in less than 24 hours, which demonstrates that with enough resources and expertise, a team of motivated researchers can write reliable exploits in a very short time,"

Imagine what, for example, a team backed with the budget of a nation state, a growing world power, could accomplish. To me it's scary, and not to be chicken-little, but we all need to start designing with security in mind, and not just an afterthought.