Friday, 16 November 2012

Accidental security improvements

I'm fascinated by things that improve security even if they were not initially designed for this purpose (as opposed to some appliances who are designed to improve security and don't... ).

My first (and favorite example) is home ADSL router. Back in the days, people (in France at least) used to have USB modem, and their Windows was fully available on Internet with a nice public IP address, and so were their Windows shares... But people started to have more than one computer at home and move to "Ethernet router" (this was actually their name as opposed to USB router) with NAT and that prevented unpatched Windows systems with shares to be available on Internet... Just a simple modification changed a lot, specially if you think about client-side attacks.

Another example is web framework (like Ruby on Rails or Spring), they have been created to increase developers' productivity but they became a great asset for security (automatic XSS and CSRF protection, automatic object to database mapping, ...). If you're a pentester, you can probably see the "before framework" and "after framework" and see how many problems are generally fixed automatically now (hopefully, people still do mistakes).

Do you have more examples?


bastikononion said...

I nominated you for the "Inspirational Award", because I "got it".

According to the rules: it's open to you IMO to participate or not.

I however chose to do so and I nominated you:

You may just delete this

Louis Nyffenegger said...

thanks :)