Why every computer scientist should know the foundations of computer security
On Friday, July 8th, Canada’s biggest and most reliable telecom provider, Rodgers, shut down its internet services countrywide for an entire day. Not only were individuals working from home impacted, but entire businesses and public infrastructure too. Many banking services, including debit card transactions, were shut down for the entire day. This was clearly a high-impact outage.
When speaking with friends later in the day, I jokingly remarked that the last outage I experienced was the result of a poor squirrel chewing through a wire in my neighborhood (poor guy), and before that was when anonymous affiliates cracked Sony’s PlayStation network bringing it down for a whole year.
I was quickly met with the response that only a data breach could result in a Canada-wide outage as there was no chance Canada’s whole network traveled through a single wire accessible to a squirrel — so much for my light-hearted comments. They quickly speculated that it was the Russians retaliating for our support of Ukraine or other nation-state actors.
Although I do not want to speculate on who, what, and why, at least not in this article, I believe this example illustrates the importance and impact a robust network and associated software has in ensuring the accessibility (and by extension the integrity/confidentiality) of our data.
However, data security is not limited to engineers and programmers that ensure our networks are fortified. With the ever-increasing incidents of phishing and social engineering, cyber security is slowly becoming everyone’s responsibility. Moreover, security-by-design is known to be much cheaper and more effective than implementing controls in production.
In that sense, cyber security is everyone’s responsibility. But because programmers can have the highest impact with very little additional effort, the three things programmers can do to help fortify networks will be written about below.
Vulnerability scanners such as Nessus or even NMAP offer the most bang for your buck. As of 2021, outdated and vulnerable software stands at #6 on OWASP’s top 10 vulnerability list. Simply running a scanner and updating the corresponding software is a very easy way to patch common high-impact bugs before they ever reach production. Moreover, in today’s agile environment a patch release process and the corresponding pipeline can happen entirely automatically requiring no additional labor on behalf of programmers.
Proper access control
Sitting at OWASP’s #1 spot is broken access control. This entails end-users and system administrators alike having access to data that shouldn’t be within their reach. This type of security bug occurs in more applications than any other type of vulnerability and has the potential for the highest impact.
The category of bug can be solved by denying access to resources by default and the creation of model access controls to enforce record ownership rather than accepting that the user can create, read, update, or delete any record. Although this type of fix requires a little more overhead, it only really has to be done correctly once and has an impact on the whole application and prevents the largest array of attack vectors.
Cyber security — everyone’s responsibility
A few small fixes such as the ones above can have a high impact on the software we use as a whole, allowing for greater accessibility of the networks we all rely on. Often, cyber security is seen as a hard sell, as preventative medicine does not seem necessary until it’s often too late.
Now that the impact of a nationwide outage is still fresh in our memory (and hopefully the result of a rodent that has a strict diet of fiber optic), I hope we can all take a moment to think about a few very small changes we can make to our software that have a very high impact on security.