“The very bad news is that security is still an after-thought for many NoSQL databases,” MyNoSQL editor Alex Popescu wrote in response to the leaked password hashes by the Node Package Manager last week.

I commented that it’s a bit unfair to characterize security as an afterthought, and Popescu responded: “a different way to put it is that for many NoSQL databases security wasn’t (yet?) a priority.”

Resources

I’m still not sure that quite sums up the problem precisely enough, and it’s a problem that applies to many other open source projects and to many tech startups. It’s not so much that they don’t take security seriously or make it a low priority. Instead I suspect many projects don’t have adequate resources for security.

On Popescu’s post I quoted Dennis Howlett ranting about a Dropbox security SNAFU last year:

Forget the VC fueled bollox about driving usage numbers. Screw valuations that line the pockets of those who think they know tech but only truly understand money. Tell me what real resources the business has to deal with this topic. That’s highly skilled people who get out of bed every day thinking about how to break systems and the ways to defeat the bandits. Nothing else will do.

The trouble is – how many volunteer open source projects actually have a qualified security expert testing the product? All bugs may be shallow with enough eyes, but how many projects are really attracting enough eyes? Meanwhile, how many cash strapped startups can afford a real AppSec pro? Certainly, once you’ve reached a certain level of funding this should be expected. But what about the two or three person startup working out of a coffee shop? Even with the right funding, security professionals are in high demand and it might not be easy to find someone.

The Wrong Mindset

As one commenter on Popescu’s post puts it, the issue with both the CouchDB/NPM thing and Ruby on Rails incident is a matter of “security design” – it’s possible to make these systems secure, but the onus is on the end developer, not on the team building the platform. These systems were not secure by default.

I suspect that many developers overestimate both their own ability to write secure software, and their technical peers’ ability to not shoot themselves in the foot with non-secure by default software. They may also see these issues as someone else’s problem. For example, the Rails issue was pointed out and the Rails team said they would not fix it. But the problem became theirs quick when it was discovered that the Github team hadn’t hardened their platform correctly. The reason I posted about the CouchDB/NPM incident at all was to raise awareness of this style of poor security design and hopefully reduce the number of mistakes made on the part of both end developers and platform developers.

Broken by Design

This is made all the worse when a company makes a product that intentionally shares your data in way that you would rather it didn’t, from Facebook or Twitter apps that spam your followers to social network apps that upload your address book and won’t let you opt out.

ServicesAngle

This is good news for security services companies that can audit third party open source applications for enterprises, or companies that can provide security testing to short staffed vendors.

(via M. Thierry)