Mobile // Mobile Applications
News
6/15/2009
01:40 PM
Connect Directly
RSS
E-Mail
50%
50%

Q&A: Twitter And Clouds

Twitter presents a perfect vector for malicious code and phishing

Gary McGraw is CTO of Cigital, a software security and quality consulting firm. He recently spoke with Dr. Dobb's editor-in-chief Jonathan Erickson about security in the age of Twitter and cloud computing.


Dr. Dobb's: Does Twitter pose security-related problems?

McGraw: Twitter presents a perfect vector for malicious code and phishing, especially since most users use bit.ly or tinyurl to fit clickable URLs into their messages. Twitter allows dingbats to cash in their last remaining privacy chit with a coolness factor that often overrides common sense.

In fact, the last point applies equally well to Facebook and MySpace. The big problem is many users of these systems seem to have little understanding that postings, tweets, tequila drinking photos, and everything they post in the Web 2.0 world is public. Before Tweeting whatever occurs to you, think about whether you would want your mom to read it. Also note that the Tweet will be around basically forever! Will your future potential employers search Twitter? Why wouldn't they?

Dr. Dobb's: And virtualization?

McGraw: Some easy questions turn out to open various cans of worms. How can I tell if I am running on a VM? Can I figure out what chip I'm actually on? These questions get particularly hairy when it comes to mobile computing. There is an important class of problems in security called "interposition" attacks. Virtualization opens up all new places to get these classic old dinosaur attacks all gussied up for the future.

Dr. Dobb's: Does security have a role in cloud computing?

McGraw:There are many different types of clouds -- public cloud computing is a world away from private cloud computing. Who owns what cycles and what runs where? Equally important for security are infrastructure as service clouds versus software apps as service clouds. Most effort seems to be based around securing data, both in transit and at rest. The different cloud models imply different application architectures, and different architectures (as we all know) imply different security solutions.

Dr. Dobb's: Distributed systems are the norm these days. Has security kept pace with technology implementation in this regard?

McGraw: There are some real challenges with securing massively distributed systems. If you want a good example of what we can expect when a majority of apps are distributed, just take a look at MMORPGs (or "massively multi-player online role playing games"). Greg Hoglund and I wrote a book calledExploiting Online Games that is really a case study for the future of software security.

Probably the most important issue developers and architects need to understand when it comes to distributed systems is the notion of trust boundaries. As an example, it is a really bad idea to include code running on a user's PC or phone or whatever (that is, client code) on the "trusted" side of the trust boundary. Instead, think about that code being completely and utterly exposed, rewired, hacked, etc. In Exploiting Online Games, we do plenty of work disassembling the client code for World of Warcraft with amusing but scary security results.

Don't disregard trust bioundaries.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.