We Need to Talk About Insecure Software Development Practices
—
I’ve started a weekly newsletter! If you want updates on this blog or my research, or just a weekly dose of the going’s on in information security and threat intelligence, you can subscribe here.
—
I’ve long held that the vast majority of responsibility for securing our networks lies on the software developer, and default configurations are a fantastic example of how we keep screwing up.
Microsoft is in the news for a security lapse yet again as an insecure default configuration lead to the exposure of up to 38 million sensitive records, including vaccination appointments and status, social security data, emails and names. The vulnerability existed in the Microsoft Power App, a low-code application that gives users with little development and technical chops to create data-farming web applications.
I’m… genuinely at a loss on this one. Insecure configurations are a plague on the software development industry, but a titan of the software industry like Microsoft should know better, especially when developing a product that is explicitly marketed toward users with limited technical knowledge, who are likely more focused on deploying than deploying securely, and who likely don’t know to, don’t know how to or don’t know to research how to deploy with non-standard configurations.
Just last week we saw research by Nicole Fishbein and Ryan Robinson of Intezer reveal that Apache Airflow instances leaked thousands of sensitive credentials. The research reveals that the most common reason for said credential leaks was, you guessed it, insecure coding practices, including configurations exposed to the internet, hardcoded passwords left within easily accessible config files and code injection vulnerabilities in easily accessible Airflow variables. We’re not talking about galaxy brain, hardened targets with complex exploitation chains here, we’re talking about incredibly stupid coding errors that lead to vulnerabilities that are trivial to exploit by just about anyone with an internet connection.
Yes, users need to do better about reading documentation, about researching how to securely deploy software, but the onus of responsibility is on software developers to develop secure-by-default software that balances availability and accessibility with security. Security starts with software, and we as developers have to do better at securing our products instead of hoping users are going to do our jobs for us. I understand that coding is hard and secure coding is incredibly difficult, but we at least need to start doing the bare minimum, to set minimum standards for secure, default configurations to keep the easy vulnerabilities out of our code.
This isn’t the internet of the 90’s. We don’t have any excuse to play fast and loose with security. It’s time to start doing the bare minimum to secure the web.
—
I’m not active on Twitter anymore, for reasons I talk about in this blog post, but you can follow me on my Twitter page for new blog posts and announcements.