Paid Advertising
web application security lab

What’s Left?

2 posts left…

As I wind down, I’ve gotten a lot of requests to talk about various things in my final posts. Everything from talking about what to study for newbies, how to keep up on WebAppSec when I’m gone, to talking about O2. But what I really want to talk about is what’s left? After having researched for 15 years and having blogged for 5, what areas do I think are left to research/write/build? There are tons of things. I’ll just type free-form for the next few minutes:

- I think mobile browsers are Swiss cheese and they need a much more serious look. And then we need to have a fierce conversation with the mobile providers about better/faster mechanisms to do patch management.

- I think browser port blocking blacklists are dumb and have already been broken at least three times. It’s time to do a month of inter-protocol exploitation!

- I think browser UP&P attacks against routers are highly likely and need a lot more research.

- I think the whole concept of replacing SSL/TLS with SSL/TLS over DNSSEC needs a ton of thought as a replacement.

- Browser UIs need to be hammered - they all have problems.

- Re-writing firmware in home DSL routers and making router-based botnets is under-researched.

- A table of all the ways to leak information across domains (img tags, style tags, iframes, etc…) needs to be kept and cataloged by browser type.

- An acid test should be built on a website somewhere so that people can test all known security problems against their browser. Then we can start a healthy competition and track how long each browser takes to close each issue.

- Cloud providers need to be hacked to prove how frail everything is that rely on them.

- SSL/TLS resellers need to be hacked to prove how frail PKI is when you distribute it out to the least common denominator.

- Alternate encoding issues are still barely understood and very poorly documented.

- Someone needs to build a ubiquitous DoS (not DDoS) package that includes every known DoS tool and throw it into MetaSploit, so companies start having to test against it and start pressuring the vendors to fix the issues.

… and that’s just what I could type out in a few minutes. Look, anyone who says there’s nothing left to research isn’t thinking creatively. There’s an absolutely amazing amount of issues out there left to research, and projects to make the industry move faster. One problem I wish the industry would get away from is saying something isn’t new or isn’t interesting. If it’s not new but it’s still broken, there’s a problem there (Firesheep is a great example). If you’re interested in it, don’t let other people tell you it’s not interesting. Go ahead and research it! So what’s left? Everything’s left, my friends! The world is yours! You have the power to make amazing things happen if you so choose. It’s just a matter of deciding what kind of world you want to live in.

Comments are closed.