About this Guest Post
At the IWMW 1998 and IWMW 1999 events Andrew Cormack gave talks on Web Security. Looking back to the final years in the last century (!) Andrew concludes “Web security today may be no easier than in the 1990s, but it’s a lot more important.”
Web Security: More Important Than Ever!
Looking back at my web security slides from the second [see abstract] and third [see abstract] IWMW events – last century! – I’d expected to find a very different world. Surely everything has changed in the past eighteen years? In some ways, it has. In 2016 I wouldn’t use Unix shell commands to illustrate the risks of server-side scripts. And I definitely wouldn’t be discussing patching operating systems by manually editing the source code!
But a surprising amount is still familiar.
Scripts may have been superseded by plugins but these can still be written badly and let attackers upload, download or control parts of the web service that they shouldn’t have access to. The problems are now better documented – check the OWASP Top 10 – but code containing them is nonetheless depressingly common. It’s still hard to write programs that remain secure in the face of everything the Internet can throw at them. Our processes for selecting, writing and reviewing the code we install on our key services must support those authors who do their job well.
Software maintenance is still vital to keep services secure as new bugs are discovered. For operating systems this is much easier than in the 1990s: tools providing regular, automated patching are a huge advance. But now we’ve added layers of content management systems, databases and apps whose suppliers may not have reached the same level of maturity. Keeping these secure may still depend on being on the right mailing list and responding promptly when fixes or workarounds are identified. Third-party hosting can outsource some of this effort, at the cost of reduced flexibility, but some security tasks will still be your responsibility: make sure you know which.
Users and browsers were an occasional target in the 1990s but attacks on the client side of the web are now much more common and more serious. Web browsers, too, are complex pieces of software with an extensive range of plug-ins. If we find it hard to keep the server side secure, little wonder that users struggle to do the same for their browsers. Attackers exploit the human component, too, either persuading users to visit a website where their browser will encounter malicious code or simply asking them to disclose passwords and other sensitive information. Most attacks are financially motivated: CPU cycles, network bandwidth and information can all be sold or used to commit lucrative fraud. Websites can help by offering tools such as two-factor authentication that make their users (and the services they use) less vulnerable to these attacks. We must ensure our communications and services can be clearly distinguished from those the fraudsters construct; don’t teach your users bad habits.
Web security today may be no easier than in the 1990s, but it’s a lot more important. In 1998 a few innovative teachers were setting student assignments using on-line data sources. Now the web is the main entry point for all the university’s teaching, research and administration. A huge amount of personal, sensitive and valuable data is accessible through our web services: to the wrong people if those services aren’t secure. Reputation, compliance and fines should now be things every university considers when planning its web provision.
Universities need secure web platforms: recent headlines show the damage that even large business can suffer from security failures. Building and operating those platforms are professional tasks; communities such as the institutional web managers provide vital support. In 2016 anyone can set up an insecure web presence for their work: you don’t even need a credit card. Universities must ensure there’s no need or incentive for their staff to do that.
Andrew Cormack is Chief Regulatory Adviser, Jisc Technologies, concerned with the regulatory and security aspects of networked services. His first web script, more than twenty years ago, extracted the positions of research ships from daily situation reports and plotted them using the Xerox PARC map server.
Previously he was Cardiff University’s first webmaster, in which role he spoke at IWMW 1998; then Head of Janet-CERT (IWMW 1999). He also spoke on federated access management at IWMW 2007.
- Email: Andrew.Cormack@jisc.ac.uk
- Blog: https://community.jisc.ac.uk/blogs/regulatory-developments
- Twitter: @Janet_LegReg