The Application Security Silo

People get used to a certain way of thinking and accepted "truths" when they are around a certain set of people. I have seen this time and time again and of course I have fallen into it myself. I have always heard this being called "being in your own bubble" or being in a "silo", hence the title of this post. Recently I have been thinking that the application security industry is very much in its own bubble.

Don't get me wrong there are a lot of bad bugs that can and have been found. I see value in people finding these types of bugs - of course since that is my job and I still want it - but how severe these bugs are seems to get inflated inside of the industry. This is one reason why I think business people don't always take the security industry seriously. Lets take a specific application as an example, in this case I am going to focus on Wordpress.

To give everyone a short background Wordpress is a well known and well used piece of blogging software. It is widely deployed and very popular.  However, this piece of software is very insecure at least in the eyes of the application security profession.  There is even a site focused solely on Wordpress security, this site is ran by people who know quite a bit.  But yet even with this Wordpress still stays popular and keeps being used.  Why?  There are better alternatives.  The blog-o-sphere hasn't imploded because of this insecure software and the biggest issue is with spammers.  So, with all of these bugs and the software being "insecure by design" why is it still being used?  Because it works and the chances of your personal blog being attacked is pretty slim.  Sure there are bugs and if someone really wanted to they could cause pain to a Wordpress user.  But here in lies the rub, it is a common belief that any piece of software has big enough holes that if you are doing a targeted attack you can get the person, period.  It might take a bit, but it is possible.  I am sure there are exceptions to this belief but so far I have not found one.  

The only reasonable goal people have for software is just to make it more secure than alternatives so attackers attack the easier targets :).  However, it seems odd to me that application security people really get into how a bug can be soooo dangerous yet it rarely gets used or even more likely they find a bug say it is really dangerous and in the end it just isn't.  I guess my main point is this.  

Application security people are like Chicken Little's always saying the sky is falling when it isn't.

Sometimes the sky is really falling, however, most of the time the bug is small and is best used in very targeted attacks and most people are really not important enough for that type of effort. Although I wonder if anyone ever tries to take over the President's computer or what happens when he gets malware :).