Keeping up with the Joneses on modern day web security is a daunting task.
Most companies do not have internal security researchers. It is expected that developers should know cryptography, even though I’m sure we can all agree that we only know insomuch as to prevent attacks and vulnerabilities known to us. You’re probably as likely to have a security vulnerability in your application as you are a bug in your codebase. I’ve been building web applications professionally for nearly a decade and just this past year I learned about flaws in commonly reused code such as timing attacks in HMAC based authentication due to the usage of string comparisons.
Security is very much it’s own field, as is network administration, frontend development, and backend development. While I pride myself as being capable of handling all facets of the development lifecycle, suffice it to say that I think security is one area where experts are needed. This goes for both the application and server level.
So what’s with the lack of staffed security researchers at many companies? My inclination is that they’re relatively rare and sought after by those that are truly concerned with security and can afford such hires or contractors. My other theory is that companies hedge their bets and security researchers aren’t seen as having a positive impact on a companies bottom line until shit hits the fan.
The problem with this logic, however, is that data breaches cost companies millions of dollars. At a very base level, a security breach leads to a loss of both trust and customers. Think about the amount of money that must’ve been lost in some of the more prolific hacks of the last few years: Adobe, Target, Experian, Home Depot, JP Morgan, and EBay.
On a more global scale, we have exploits such as POODLE, Heartbleed, DROWN, insecure WordPress plugins, etc that muddy the waters and turn your average companies VPS or dedicated server into sitting ducks. I can’t tell you how many servers I’ve encountered that are prone to the most basic of XSS or brute force attacks. Many companies are lucky that the majority of individuals capable of running a tool such as metasploit have no intentions of doing something nefarious.
I think bug bounty programs are a great addition to any companies arsenal in protecting against malicious attacks. By promoting whitehat hackers (the ethical ones) to find vulnerabilities and giving them money or notoriety in return, companies are effectively outsourcing a very difficult portion of software and server maintenance on a limited budget.
If you’re looking to become a master of an interesting field, I believe web security is a very intriguing niche. Attacks only appear to be gaining in momentum and complexity as processing power becomes more affordable and servers and hardware are commoditized with pay-by-the-minute services.
What a tangled web we weave.