Last night, as I was checking my email before going to bed, I got a note from Apple that their replace/rebuild of the Developer portal had been completed and all services are working again. Great news, and hopefully Apple has addressed, not only the security flaws identified by the Turkish researcher, but any fundamental design flaws which could expose other security issues going forward.
The biggest lessons I’ve learned from watching this all unfold is – security is hard. Steve Gibson (from Spinrite fame) has been recording a long running podcast on security called “Security Now“. He spends 2 hours, each week, going thru all the latest info on security patches, and describing the underlying design and technology of various protocols, etc. which shows how much you need to know to make truly secure applications.
Years ago, when I was working as a consultant, I wrote a Human Resources system for a home health care management company. I was asked to make sure that we had an appropriate level of security and could segregate data between managed companies via passwords. The design was simple. Within the application, you had to enter a unique company identifier and password for each company’s data. Simple and somewhat effective, given that the entire application and all of its data resided on a midrange computer that could only be accessed within the companies physical boundaries. Within 1 month of the application going live, every monitor within the HR department had a nicely printed sticker listing the company identifier and the password for each. So much for security.
The reason I bring this up is to identify how technology is only as secure as its weakest link. Kevin Mitnick, shows us in his biography – Ghost in the Wires, that the best hacks are really around social engineering and not technology. Even Mat Honan’s famous twitter / gmail / icloud hack, was much more a social engineering issue than a technology flaw.
If you are storing sensitive data (however you define sensitive), what are you doing to make your application secure, with out distracting from its functionality?