Over the weekend my wife and I decided to go pay our last respects to Borders Books. I could write a blog entry on why they failed (which includes missing the Internet, then missing e-Readers), or why we bought nothing (going-out-of-business discounts didn’t even bring their prices down enough to equal Amazon and the lines were so long there was no reason to wait for a bad deal), but I’d rather write about my aha moment. I now know a major reason we have so many website breaches.
While browsing through Borders’ selection of computer books I decided I wanted to see what some of them said about security. I picked up an introductory book on building websites and looked for Security in the index. This ~750 page “all in one” guide had just TWO pages on security, and they contained no details just some general things you’d need to worry about if you set up an e-commerce site. Then I grabbed another website book and discovered it had ZERO pages on security. And then another with the same result. It seems that we are training website developers that security is of no importance.
Next I moved on to SQL programming. For those who don’t know it, something called “SQL Injection” has been amongst the top couple of ways to breach a website for the last several years. SQL Injection isn’t a bug in database products, it is the result of application programming mistakes. The first book I picked up on programming SQL (Microsoft SQL Server specifically) didn’t talk about SQL Injection at all. So I decided to look at books that were specifically aimed at web database programming rather than SQL specifically. I picked up a book on jquery and found no mention of SQL Injection. Then a book on ADO.NET and it also had no mention of SQL Injection either. Wow, this was disturbing. We aren’t training programmers to take the proper precautions when writing access to databases either.
After returning home I used Amazon to look at the indexes for, and perform searches on, a number of other website and database programming books and the results were little better. Introductory website books rarely discuss good security practices. With introductory database programming books the situation is a little bit hit or miss. Some don’t mention SQL Injection at all, while I did run across a few that gave good guidance on how to avoid it. But the overall situation is pretty clear: when someone starts out building websites and web applications (be they doing so for their spouse’s small business or working for a large enterprise) they have no awareness nor training of how to build a secure website or application. None.
Next I thought, well there are always people who hold a Certification (from Microsoft, Cisco, etc.) and surely they have the appropriate training in security. So I set about looking at some of the training materials for certification. My first look was at the Self-Paced training for MCTS Exam 70-516, “Accessing Data with Microsoft .NET Framework 4”. This is a pretty obvious place to be testing knowledge about SQL Injection, but a search on this book yielded ZERO mentions of it. The training book for 70-515, “Microsoft .NET Framework 4 – Web Applications Development” also contains no references to SQL Injection. Almost all its discussions about security are related to authentication and authorization, with none on how to write a secure application. Other exams, and the training material for them, may indeed cover these topics. However, these are the two main exams around web application development (including with data access) and they do not. For example, someone who wanted a SQL Server certification would find some training on SQL Injection in the materials for exam 70-433 (a full ONE page). However this exam isn’t part of the web application development (technically a Visual Studio) certification and someone using a database other than SQL Server certainly wouldn’t bother taking it. Once again we see that we aren’t training web developers in how to build a secure website or web application, nor are we expecting them (via certification) to know how to do it.
Once a developer is aware of, and interested in (often because their site has been compromised), creating secure websites and web applications there is plenty of documentation, training, and help to be had. There are books about specific topics (e.g., there are books on how to protect against SQL Injection attacks going back to 2002) to general ones on building secure web applications. OWASP (The Open Web Application Security Project) has extensive documentation, training, assessment materials, conferences, and tools for building secure websites. But all of this assumes that a developer knows he or she needs to learn about these topics, which means that only the most experienced developers tend to have a focus on security.
Now I think we know why there are so many breaches of websites, the people developing them are simply not being trained in how to create secure sites. The way to address this is to put security front and center during the initial training of web developers. Basic security practices can’t be an add-on, it has to be part of the fundamental knowledge base that everyone operating in the IT arena has. From the very first website or application they create.
Seems strange that a book on ADO.NET or .NET data access in general wouldn’t mention SQL injection, since avoiding it is a big part of the motivation for some of their major features (such as parameterized or LINQ-based queries).
Talking of SQL injection, they are the number one attack vector to compromise a website (not database but website!). Depending on what surveys you read, it accounts for between 20% – 60% of all website breaches – see http://www.darkreading.com/database-security/167901020/security/application-security/223100129/index.html.