Welcome to Jester's Trek.
I'm your host, Jester. I've been an EVE Online player for about six years. One of my four mains is Ripard Teg, pictured at left. Sadly, I've succumbed to "bittervet" disease, but I'm wandering the New Eden landscape (and from time to time, the MMO landscape) in search of a cure.
You can follow along, if you want...

Monday, April 11, 2011

Quote of the Week: Security issues

I can't decide.  It definitely should be from CCP Navigator's thread announcing the return to the old forums.

But which do I pick?  There's this, from CCP Sreegs, either completely misunderstanding or completely misstating the role of a competent security professional in today's Internet:
My job is response, not reviewing every single line of code that gets written.
Note to CCP Sreegs: you can't afford to be reactive in today's Internet.  Only proactive will do.  Or there's this, from CCP Wrangler, the first real apology for a CCP screw-up that I can recall... well... ever:
You have my sincere and personal apology and I also apologize on behalf of CCP.
Well said.  Or there's this, from Helicity Boson, who states in a very few words some core truths about today's Internet and what CCP Sreegs should have been doing:
And no matter what, that you didn't even see the error in your login design for forum posting and the documented injection holes in the forum you gutted to serve as a base for "your" 72,000 man hour project is pretty damning.

You need peer reviews of code, you need penetration tests.

So, pick whichever of the three quotes you personally like best.  ;-)

You'll note I left specific technical details out of my own blog post on Saturday because I didn't want to further spread the word about the vulnerability or specifically how it works.  But CCP seems to be doing what they can to down-play the issue, which is the wrong response.  Take it from me, guys: you don't down-play security issues.  You treat them as serious, business-breaking issues, no matter how minor they appear to be.  You take them seriously.  Your customers expect nothing less.

So, here's some of the details, as posted on Helicity Boson's blog.  Go give them a read.

CCP Sreegs has promised a devblog about this issue, and I'm sure I'm going to have more to say about it once that's posted.

8 comments:

  1. There's something very Eve about all the drama that comes from CCP. The very PUBLIC drama, that is.

    ReplyDelete
  2. I disagree about only being proactive. They would never get anything shipped. You have to be a bit pragmatic about some of these things. Did they ship it too soon, probably, but you do have to be reactive with some of this.

    A company like CCP is damned if they do, damned if the don't. Release too soon and it is buggy and ppl get pissed. If they sit around waiting for it to become "perfect" people bitch about never releasing software.

    ReplyDelete
  3. What I wonder about is if CCP have documented any policies based on best practices for Web development, especially for sites that require authentication.

    ReplyDelete
  4. My job is response.....

    After the horses have left the barn because you didn't check to make sure the door was closed?

    ReplyDelete
  5. Triston - you can be proactive without being perfectionist.

    Some things such as (a) reading the known issues list for the software you're about to adopt, (b) training yourself in web best practices (ask Google about secure web programming) and (c) listening to reports of vulnerabilities from your beta testers, all count as being proactive.

    CCP did none of those.

    ReplyDelete
  6. http://eve-search.com/thread/300405 - thread complaining about CCP's crap web developers. Includes a reply by Dark Shikari.

    ReplyDelete
  7. @Triston: No. When it comes to security of your public interfaces, you have to be proactive. The price for being reactive may be your brand and business as a whole.

    Granted, you can't prevent sophisticated attacks nobody has heard of before; but you can at least establish commonly accepted standards of security. As thousands of other web sites demonstrate, it's not an impractical problem to solve.

    Especially since the vulnerabilities listed by Helicity were of such basic nature, a five minute hallway review with a semi-competent security person could have uncovered them.

    ReplyDelete
  8. ObMotivational Poster : http://www.thesatya.com/blog/2008/06/bruce_security.html

    :)

    ReplyDelete

Note: Only a member of this blog may post a comment.