Back at Yahoo, Atruro would remind us not to worry about making the code safe from external hackers. Ok, that's not quite right. He didn't remind us "often", he did it every single chance he could get. It may sound like something odd for someone who's the head of network security to say, but it makes sense when you knew what his principal concern was. Make your code safe from someone who has your knowledge of how to break it.
It's pretty simple, really. If you're working on something, and know there's a bug or something that could be exploited, fix it then and there. It doesn't matter where it is or the infinitesimal chance that someone will discover it, fix it. Why? That's easy. Crackers have infinite time and resources. They'll find it.
It's always kind of interesting to argue with folks about things like that. Inevitably, you get really, really smart folks that are quite confident that their code is completely optimized and balanced with a minimal footprint because there's this huge, gaping security hole you could drive a battleship through. Their reasoning? Well, nobody's ever going to do that.
Actually, yes they will.
First off, let's get a few things straight:
It's good to be a Hacker, it's bad to be a Cracker
Hackers are folks that use things in interesting ways. Crackers are folks that like to break things. Crackers want to be hackers (and some may be), but much like the difference between lock picking and safe cracking, the methods are significantly different and leave the targeted system in quite different states. The media calls Crackers "Hackers" because they don't know the difference.
Crackers aren't logical
Crackers can and will break a system for any reason. If there's a financial reason, there's obviously more of an incentive, but that's not always the main one. They may just do it for the lulz.
Crackers may not be targeting you
While there's some question about the legitimacy of the reported Amazon Crack, i would totally believe that the goal was making a different group angry.
Crackers have infinite time and resources
Crackers work in parallel. You may calculate that it'll take N years for someone to break into your system. Divide that up by a few hundred individuals and you've got the problem solved in weeks if not days.
Discovered exploits may not be used for years
It may be that a given bug, once discovered, gets filed for some future date or reason. That date could be well after the original programmer has left the company and now Jonas P. Newguy gets several thousand lines of undocumented code dumped into his lap by panicking management trying to figure out why all their etching equipment is playing the Super Mario theme song.
Of course, explaining to management why you need a few extra days to fix a security hole you discovered while implementing a new feature may be hard to do. That's why i never explain the security hole. i simply show the results of taking advantage of it, preferably by having management inflict the damage on themselves or their own account. Do that two or three times and they'll green light any future security patch you discover.
Keep discovering holes in someone else's code and that person may not be working there much longer. Do that a few times, and you may find that security holes are harder and harder to find.
That's why you don't make your code secure from outside attacks. You make it secure from inside folks who may get you fired.
Arturo is a damn smart guy.
Oh yeah, you got a typo in the first line too…
Your statement about dividing it by a couple hundred is not quite accurate. You have to assume that your adversary has command and control of a portion of a botnet that he can use for distributed attacks. This makes IP-based restrictions (password cracking, etc) largely ineffective. Nice article. I am forwarding it on to Arturo…