Tiptoeing Through Vulnerabilities

BombI sympathize with developers who throw up their hands and say, “I don’t do security stuff.” No matter what you choose, there’s a trade off that could go wrong. It’s especially troublesome if one deploys a “security website.” I’ve deployed security education websites in many environments over the past 20 years, and I rarely achieve the security level I’d like.

I wanted to watch a security webinar today.  But the webinar requires Adobe Flash, in which security researchers seem to uncover 1 or 2 vulnerabilities a month. I discarded Flash when upgrading my OS a couple years ago. It’s ironic that a security webinar might tempt it back onto my machine.

The webinar’s tantalizing title is The Vulnerability History Project. The webinar sponsored more-or-less by the Association for Computing Machinery (ACM). The project seeks to put historical vulnerability data on-line with appropriate searching and metadata tools.

I love history and I love vulnerability research. But Flash is arguably the most troubling software on the World Wide Web.

My own tiptoeing through vulnerabilities

When I first deployed web sites, you needed a public-key certificate to use SSL/TLS. The certificates cost more than a year’s worth of shared website hosting. I did without until prices came down.

Then I had to contend with cantankerous hosting packages that handled SSL encryption with limited success. Some packages only encrypted login, some only encrypted administrative activities, some encrypted everything.

When I graduated to hiring other vendors to operate sites for me, I found that they weren’t especially security conscious themselves. My first online testing web site was using RC4 for encryption, long after we had all realized it was broken.

My second testing web site treated SSL as an extra, not a standard feature. I had to pay for both the SSL configuration and the certificate. By then, sites had discovered the AES cipher, already over a decade old.

I shut down my testing sites a couple years ago. Now I use WordPress.com to host everything. If my site is compromised, I know I’m in good company.