Logic Errors and Best Practices for Preventing Them
By now you’ve undoubtedly heard about the Facebook breach. I’ve published an article in Dark Reading that goes into detail on what happened at Facebook and my views on the important lessons we can learn in our efforts to catch and fix these vulnerabilities before hackers do. Here’s a quick synopsis. I hope you will read the full article.
Facebook had a logic error, the result of human error where code allowed a user to take an action that gave them access far beyond what the developer who wrote the code originally intended. This error was then identified and exploited. Unfortunately, these types of errors are extremely difficult to find as it takes human ingenuity to identify the error another human made. And they can be extremely damaging. In combatting these types of errors, I recommend three stages of review beginning with a development team that starts the process thinking about security. Then, build quality assurance teams that know how the app should function and include a few people who think like hackers. Finally, establish meaningful bug bounty programs that offer compensation in line with the internal importance of the app as well as external markets. Read the full article for more detail.