The thing that strikes me is in the last six or eight years we've seen a big push toward software security, with what Microsoft has done with Trustworthy Computing. But, are these Web developers getting any of that training?
I'm glad you asked. If we're moving toward building the browser as the application or as the operating system, I mean, look at Google Chrome. The browser has a task manager. It is an operating system for all intents and purposes. It's not things you're installing on your desktop anymore, it's things you visit in your browser. This whole idea of storing things in the cloud to protect data, you're essentially yielding control to the people who write these latest and greatest Web apps. And it's like OK, what do these people know about security? It's kind of the same way the mid-90s desktop developers got their butts kicked. The same way desktop developers didn't know security, we're finding out Web app developers don't know security very well. They're not getting the types of training they need. You say cross-site scripting to them and they think that's stealing a cookie or popping up a little message dialogue. And you have to look at them and say, "Why do you think that message dialogue is appearing?" It's because it's code execution, I executed arbitrary code on your box. That's about as bad as you can get. The difficult part is, security used to be something the IT guys dealt with. That's something my IT guy put a little box on the perimeter to take care of. But with application security, these are fundamental problems in the application itself. A firewall isn't going to help you with a Web app. A firewall is a gateway saying, yes you can talk to this port or no you can't. If no one can talk to your Web app, you don't have a very good Web app. The problem is we have this culture of quickness with our Web space. We have all these books, like learn Ruby in 24 hours. You can't learn anything in 24 hours. You can learn enough to be dangerous. You can learn enough to write really bad financial software. For the very applications you would want lots of thought to go into, we're putting no thought into. Let's go back in time a little bit here. Tell me about the infamous student research project you did at Georgia Tech that got you into a little bit of trouble.
Ah, once upon a time when I was young and silly. I was a student at Georgia Tech and I learned about our campus Buzz Card system and I found some security flaws in it and kind of learned firsthand the difficulty one can have in trying to do the right thing and letting them know there are issues, and how to remediate and solve when you discover vulnerabilities. Actually, this is a problem in the Web application security space as well, because people can reverse engineer or decompile and find buffer overflows and how it process and track changes of a Word doc. That stuff's processed on a desktop. For Web app security researchers, they have a really hard time. If I happen to inadvertently discover one of these things, how do I let them know? They own all the code. And by definition, you can't discover vulnerabilities on their apps without breaking the law. What are your thoughts so far on Google Chrome and what you've seen?