Channels ▼
RSS

Security

Q&A: Twitter And Clouds


Gary McGraw is CTO of Cigital, a software security and quality consulting firm. He recently spoke with Dr. Dobb's editor-in-chief Jonathan Erickson about security in the age of Twitter and cloud computing.


Dr. Dobb's: Does Twitter pose security-related problems?

McGraw: Twitter presents a perfect vector for malicious code and phishing, especially since most users use bit.ly or tinyurl to fit clickable URLs into their messages. Twitter allows dingbats to cash in their last remaining privacy chit with a coolness factor that often overrides common sense.

In fact, the last point applies equally well to Facebook and MySpace. The big problem is many users of these systems seem to have little understanding that postings, tweets, tequila drinking photos, and everything they post in the Web 2.0 world is public. Before Tweeting whatever occurs to you, think about whether you would want your mom to read it. Also note that the Tweet will be around basically forever! Will your future potential employers search Twitter? Why wouldn't they?

Dr. Dobb's: And virtualization?

McGraw: Some easy questions turn out to open various cans of worms. How can I tell if I am running on a VM? Can I figure out what chip I'm actually on? These questions get particularly hairy when it comes to mobile computing. There is an important class of problems in security called "interposition" attacks. Virtualization opens up all new places to get these classic old dinosaur attacks all gussied up for the future.

Dr. Dobb's: Does security have a role in cloud computing?

McGraw:There are many different types of clouds -- public cloud computing is a world away from private cloud computing. Who owns what cycles and what runs where? Equally important for security are infrastructure as service clouds versus software apps as service clouds. Most effort seems to be based around securing data, both in transit and at rest. The different cloud models imply different application architectures, and different architectures (as we all know) imply different security solutions.

Dr. Dobb's: Distributed systems are the norm these days. Has security kept pace with technology implementation in this regard?

McGraw: There are some real challenges with securing massively distributed systems. If you want a good example of what we can expect when a majority of apps are distributed, just take a look at MMORPGs (or "massively multi-player online role playing games"). Greg Hoglund and I wrote a book calledExploiting Online Games that is really a case study for the future of software security.

Probably the most important issue developers and architects need to understand when it comes to distributed systems is the notion of trust boundaries. As an example, it is a really bad idea to include code running on a user's PC or phone or whatever (that is, client code) on the "trusted" side of the trust boundary. Instead, think about that code being completely and utterly exposed, rewired, hacked, etc. In Exploiting Online Games, we do plenty of work disassembling the client code for World of Warcraft with amusing but scary security results.

Don't disregard trust bioundaries.


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
 

Video