Monday, July 21, 2008

"Spring" into framework vulnerabilities

Hey folks - I've been thinking about security defects frameworks such as Spring for a bit since someone asked me if because they use one of these major frameworks, are they safe a week or so ago. I couldn't find any valid reason to panic about using a framework to introduce new security vulnerabilities until I saw this post - which seems to have slipped under the radar of most of us bloggers/readers of security events.

Back on the 16th of July ZDNet writer Paula Rooney published this post, which aggregates some of the details around the Spring MVC framework issues. Reading the write-up I feel like there are some complex issues at work here, and patching isn't just simply done to remediate these.

What I do find interesting is that Ryan Berg from Ounce Labs doesn't see these issues as "vulnerabilities", but rather features that are "insecure by design". To quote the article further...
"SpringSource plans to release in the near future an update in one of its MVC demo templates to show app developers how to avoid this vulnerability. Ounce maintains that the vulnerability is not a security flaw in the framework itself but an application development issue. Many Java applications and business processes built on Spring are insecure by default and should be fixed – even if it means breaking existing applications, Berg said."
How interesting. I wonder if this is limited to Java? What about the Microsoft .Net frameworks... and what about all the extensive AJAX frameworks? I wonder if we're building-in security defects simply by using some of these new frameworks?

More to come, as I try and learn a little more about how frameworks can introduce vulnerabilities into code and development.

No comments: