|
Warning Signs
PROBLEMATIC ARCHITECTURE
Most MMORPGs such as World of Warcraft install large pieces of client software on users' machines that communicate with one of the game's remote servers. It's a straightforward architecture, except there are hundreds of thousands of players in the game at one time, all needing to see the same game action at the same time.
"The security model has to involve trying to control the state of the game," McGraw says.
"But the only way to do that is to crack off a piece of the state of the game and give it to each user.
If you don't think about security, that sounds like a great idea. But if you realize that users might try to manipulate the program, it's a really bad idea."
That architecture is similar to the way companies such as Google and others are building their applications. Many of Google's offerings, such as Gmail and Google Docs, are Web-based, but others, like Google Desktop, sit on the user's PC gathering large amounts of data and communicating constantly with Google's servers. This model requires a high level of trust between the application server and the user's PC, something that can be problematic if the user has some malicious tendencies.
"The average security guy can talk about trust...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
in a very clear way, but in the case of putting a fat client on an attacker's PC, there's a big trust model problem," McGraw says. "This piece of software you're running on the attacker's PC is outside the trust boundaries."
WEB SERVICES
Meanwhile, following the lead of vendors like Salesforce.com and NetSuite, Microsoft and other major software providers are making many of their applications available as Web services. Microsoft Office is available for use online, for example. This shifting architecture makes security a challenge for application developers and enterprise security staffs, most of which are more accustomed to dealing with network security challenges and patching desktop applications than dealing with distributed applications.
"The likelihood is that the exploits that are successful against these gaming environments will be successful against Web applications too," says Avi Rubin, a professor of computer science at Johns Hopkins University and founder of Independent Security Evaluators. "Authentication becomes much more important in this environment because the data is now stored in the network, and if someone is able to get your credentials and break into the application that stores all of your data, it's a much bigger problem. The application becomes a huge target."
|
 |
|
