Investigating the Security is Hard Mantra

Investigating the Security is Hard Mantra

Security is hard.  As one of the many companies who have been in the news recently.  Every developer has heard this many times and many have taken them to heart with little question. But with the recent versions of the .NET Framework, many of these security tasks have become rather trivial to code. It's important to share new insights and changes that will allow you to be more productive in the .NET world.

Security Is Hard 101

For example, securely hashing a password with PBKDF2 takes only have a handful of lines:

public string HashPassword(string password, string salt)
{
const int PASSWORD_HASHING_ITERATIONS = 10000;
using (var pbkdf2 = new Rfc2898DeriveBytes(Encoding.UTF8.GetBytes(password),
Convert.FromBase64String(salt), PASSWORD_HASHING_ITERATIONS))
{
var key = pbkdf2.GetBytes(24);
return Convert.ToBase64String(key);
}
}

With these kinds of libraries and frameworks at our disposal, is security still something that's hard? After all, with those ten lines of code we have the beginnings of a login system.

Security STILL is Hard

Unfortunately, the answer is a resounding yes as Ashley Madison has recently found out. After being hacked and having their database and website code exposed, security researchers investigated their password hashes to find that they had followed industry standards: Passwords were hashed with the bcrypt algorithm with an acceptable number of iterations. These researchers estimated that it would take several years to reverse those hashes.

That is, until a group of researchers investigated the code and determined that there was a second field where the password was being stored. The problem, however, was that this field wasn't hashed with an industry standard password hashing algorithm or iterated several thousand times. Instead, the password was hashed once with MD5. Over the course of about ten days, these researchers were able reverse 11 million password hashes.

Open Source Security Tools

Security is still hard because, as Ashley Madison found out, security isn't about individual pieces of code, but as a whole application. It didn't matter that Ashley Madison was correctly hashing the passwords when a user was logging in because the password was exposed in other code. In turn, this means that by itself QA testing of security features cannot determine that an application is secure.

Instead, code reviews and security audits of the application are needed to ensure that it will not expose any confidential data, whether that data be a user's password, proprietary data, or something else entirely. This is why some of the most trusted security tools and frameworks that are available, such as TrueCrypt, KeePass, and OpenSSL, are open-source: Anyone can at any time review the code to see what it's doing and ensure that nothing malicious is taking place. Even this is sometimes not enough to ensure that there are no exploits, as we all discovered with the Heartbleed bug in OpenSSL a year before.

This is why repeat the “Security is Hard” mantra and why third-party services and frameworks are so highly suggested when the topic of security comes up. Most companies simply don't have the time, resources, or expertise to ensure that their applications are secure by themselves, especially if security isn't their product. By using something like ASP.NET Identity and/or OAuth with another service like Google or Facebook for logging in, the security of an application's authentication can be reasonably assured.


About Oakwood

Since 1981, Oakwood has been helping companies of all sizes, across all industries, solve their business problems.  We bring world-class consultants to architect, design and deploy technology solutions to move your company forward.   Our proven approach guarantees better business outcomes.  With flexible engagement options, your project is delivered on-time and on budget.  11,000 satisfied clients can’t be wrong.

Like what you've read? Please spread the word!

Leave a Reply

Your email address will not be published. Required fields are marked *