Justice League Blog
Software, the New Insider Threat
The insider threat has always been invoked and then ignored by computer security types. That kind of treatment may have worked (accidentally) during the network security days, but such old-fashioned thinking is quickly becoming a problem as distributed software becomes more complex. The problem is really one of trust, and the new insider is built right into modern software.
Put on your software architect hat for a moment. Most architects think in terms of boxes and arrows. The boxes roughly correspond to software components, with the arrows being connections between components. In a standard view like this, there is little or no notion of trust. That is, all components are equal in the eyes of the designer.
The problem is that in new massively distributed software architectures (think Google Desktop or World of Warcraft clients) have components that run entirely on untrusted machines. If part of your software architecture runs on a potential attacker’s box you really need to think hard about what happens when it is manipulated. If you don’t, you quickly become subject to insider attacks of a new sort. Your own software will attack itself.
When building a boxes and arrows architecture for modern software (especially SOA software), make sure that you explicitly consider the trust model and take into account the new twist on insider attacks. Be especially mindful of time and state problems. Make sure that trusted servers think carefully about any state that they consume from untrusted clients.
For a couple of examples of this and a slightly more formal treatment, see my Darkreading column from 8/14/07.
[tags]software security, world of warcraft, WoW, software[/tags]
-
http://www.cigital.com/~gem gem
