Marc Maiffret is a worried man.
The chief hacking officer and co-founder of eEye Digital Security looks at the rising popularity of hosted Web applications and sees a future where legitimate bug hunters are blocked from auditing popular product for security flaws.
“How can you do an independent code audit when you have no access to the application? You look at [Microsofts] Windows Live or Google; everything is sitting on the server. If I want to audit an application, I have to launch an attack against Microsofts server, which is obviously illegal,” Maiffret said.
“Its creating an environment where the bad guys are looking for vulnerabilities and the responsible researchers are shut out. The criminals dont care about attacking a server and breaking a law. Were the ones that have to worry about that,” he added.
Maiffrets eEye is a noted research outfit credited with finding numerous critical vulnerabilities in Microsofts Windows operating system and other widely deployed products, but he is concerned that the software-as-a-service realm will lull the industry into a false sense of security.
“Im sure Microsoft will be happy to say that no bugs have been reported in Windows Live and its the most secure application. But how will you ever know that if no ones allowed to audit the code?”
Maiffrets concern was shared by John Pescatore, senior vice president of research at Gartner Inc.
“Today I can buy software, test it and confirm for myself that its secure for my use. In the new world, even if Live.com is secure today, Microsoft could make changes tomorrow and theres no way to know if Im secure tomorrow. Thats a legitimate concern.”
While large-scale enterprises can negotiate the right to run random code audits into SLAs (service level agreements), the smaller companies that use on-demand applications to cut costs wont have the budget to handle that luxury, Pescatore added.
To counter the absence of independent third-party audits, he suggests small to midsize businesses do due diligence to ensure service providers have documented policies for hardening the application and the operating system under the Web and other servers.
“You want to know how they are reviewing the security of scripts and the code they are integrating into the applications. Are they using intrusion detection services for the application? Are the procedures for installing security patches documented? How are they hiring the people who are managing the application? These are some very big questions,” Pescatore added.
Pete Lindstrom, an analyst with Spire Security in Malvern, Pa., said he does not buy into the theory that external vulnerability research leads to a more secure IT environment.
He pointed out that even in todays environment, private research outfits still find—and report—cross site scripting and SQL injection vulnerabilities in popular Web sites.
There have been cases in the past when security flaws have been publicly reported in Googles Web applications, and other Web e-mail services.
But Maiffret is convinced the day will come when the growth of the Live.com model will force a rebirth of the “underground hacker” culture instead of the up-front discovery and reporting of bugs.
That, he insists, is something to worry about.