Tuesday 30 October 2012

The next level App Security Social Graph

My core belief is that openness and visibility will eventually create a model/environment where the 'right thing' tends to happen, since it is not sustainable (or acceptable) to do the 'wrong thing' (which without that visibility is usually not exposed and contested). See the first couple minutes on the Git and Demoracy presentation for a real powerful example of this 'popular/viral awareness' in action.

When I look at my country (Portugal and now UK) or my industry (WebAppSec) I see countless examples of scenarios where if information was being disclosed and presented in a consumable way, A LOT of what happens would not be tolerated.

For example, we (in WebAppSec) industry know how bad the software and applications created every day are. And we (and the customers) have accepted that vulnerabilities are just part of creating software, and that the best we can do is to improve the SDL (and reduce risk).

But, if the real scale of the problem was known, would we (as a society or industry) accept it? Would we accept that large parts of our society are built on top of applications that very few people have any idea of how they work? (might as well if they are secure).

So while OWASP is busy booking meetings to have meetings, the rest of the world is moving on, and is trying to find ways to connect data sets in a way that 'reality is understandable/visible', so that what is really going on, is exposed in a easy to consume and actionable way.

For example take a look at the Next Level Doctor Social Graph for an attempt at driving change while trying to figure out a commercially viable way of doing it (check out their '“Open Source Eventually” idea)



From that page, here is is their description of the problem:

"It is very difficult to fairly evaluate the quality of doctors in this country. Our State Medical Boards only go after the most outrageous doctors. The doctor review websites are generally popularity contests. Doctors with a good bedside manner do well. Doctors without strong social skills can do poorly, even if they are good doctors. It is difficult to evaluate doctors fairly. Using this data set, it should be possible to build software that evaluates doctors by viewing referrals as “votes” for each other." (see related reddit thread here)

This is what they call the Next Level Doctor Social Graph , and when I was reading it I was thinking about doing the same for software/apps under the title: The next level App Security Social Graph

Here is the same text with some minor changes (in bold) on what the  The next level App Security Social Graph could be:

"It is very difficult to fairly evaluate the quality of software/application's security in this country. Our regulators only go after the most outrageous incidents/data-breaches. The product/services websites are generally popularity contests. Applications with a good marketing do well. Applications without strong presentation skills can do poorly, even if they are secure applications. It is difficult to evaluate security fairly. Using this data set, it should be possible to build software that evaluates application's security by viewing ..... (to be defined)"

It would be great if the current debate was on that ..... (to be defined) bit (ideally with a number of active experiments going on to figure out the best metrics) ... but we quite far away from that world ....

... meanwhile another 8763 vulnerabilities (change this value to a quantity you think is right) have just been created since you started reading this post. These 'freshly baked' vulnerabilities are now in some code repository and will be coming soon to an app that you use (and your best defence is to hope that you are not caught by its side-effects)