During the time I have spent in the security industry, I have seen many hypes come and go (Gartner call it Hype Cycles).
Gartner's Hype Cycle Graph
Here are a few examples from our own field:
- XML and Web Services
- WS-Security
- Source Code Analysis
- Internet Worms
- IPS/IDS
- AVDL
- Web Application Firewalls
- Database Scanning (see section 7.2)
- SOA
- XSS
- XSRF
- AJAX
Frankly, I believe that each of the aforementioned topics deserves the market's attention, but not in the form of a hype.
You see, hypes are usually driven by someone's own interest and agenda, they are created to serve a purpose, they are exploited and then thrown away when the next hype comes. This is not a healthy recipe for security awareness, it's actually hurting the market, hurting in the sense of the boy who cried wolf...numbing everyone to the next real big thing.
I thought about this subject many times in the past, but two things that I've seen & heard while attending the OWASP Milan AppSec conf. acted as catalysts for this blog post:
Lets start with the first Catalyst. During one of the presentations, the presenter compared Buffer Overflows to XSS:
| Buffer Overflow | Cross Site Scripting |
|---|---|
| Allows arbitrary code execution (machine) | Allows arbitrary code execution (browser) |
| Exploit is hard to write | Exploit is easy to write |
| Easy mistake to make in C/C++ | Easy mistake to make in any language |
| Well known problem for decades | Well known problem for a decade |
Now, I really like this comparison, but at the same time, I can't help but feel that it is downplaying the importance of other web vulnerabilities. For example, I could've done the exact same comparison between Buffer Overflows and SQL Injections:
| Buffer Overflow | SQL Injection |
|---|---|
| Allows arbitrary code execution (machine) | Allows arbitrary code execution (DB/Machine) |
| Exploit is hard to write | Exploit is easy to write |
| Easy mistake to make in C/C++ | Easy mistake to make in any language |
| Well known problem for decades | Well known problem for a decade |
Lets move on to the second catalyst. During the panel, the panel speakers were asked what they thought was the single most important problem that needs to be solved in web application security, at that point, someone said "JavaScript!". "JavaScript? Did I hear correctly?" I asked my colleague, He didn't say "Input Validation", or "Trusting User Input", he said "JavaScript".
Have we done enough to solve everything that is wrong in web applications, that the only thing on our plate is the (inherent) security issues in JavaScript? Have we solved the first Top 9 issues on the OWASP Top 10, that all we're left with is JavaScript and XSS?
I don't know what you are thinking about right now, but I sure smell hype.
So yes, JavaScript and XSS are pure evil, and JavaScript is responsible for some of today's most common web attacks, but I have a feeling that some people are exploiting XSS (pun intended) to the max, and by that they divert the spotlight from many other critical issues.
There's a reason they call it the OWASP Top 10.
As I've mentioned earlier, each of the hype items above, deserves every second of publicity it got, but we have to make sure that this publicity is not exploited to push someone's agenda, we have to make sure that all the hype out there, receive the same amount of exposure, and that the exposure is constant and balanced.
I know of many people who feed on industry news, and if we keep throwing hypes at them, they will eventually find it hard to separate the chaff from the wheat.
Comments