Hurry is the enemy of perfection, and can endanger systems of all kinds


In the past few days, the focus on security has never been more evident than it is today. What is the company that has a product or service, that has at least some website, application, or something related that does not think in some way about digital security?

Many times, we see attacks on the Superior Electoral Court (TSE), and the risk that hackers are accessing confidential data of people, the government, among others, but where is the security in this issue?

We need to think about security as much as possible, and how to protect our applications against actions of this type, however, it is also common to see that in Brazil we do not have a clear organization in project development so that we can move forward and conquer new steps towards security, and deadlines and dates are at risk that projects will not be delivered on time.

Programmers and developers pressured to develop something in a short time, or that has already burst, often ends up doing wrong things, either in a hurry, an obvious enemy of perfection, or also because the selected team is not an expert on the product you are working on, that is, a team is placed that has never worked with a certain framework and charges a deadline.

Certainly, in recent times, in the midst of the Covid-19 pandemic, companies in the area of ​​technology are making huge efforts in search of updating applications, websites, and containing attacks, halting numerous attempts at unauthorized access, as well as trying to mitigate wiping the ice in the accesses caused by false positive. In other words, so much safety equipment is put on, millions are spent trying to mitigate the development failure that was made in haste to meet some deadline demand.

Deadline is the enemy of a good system, and of course, a good system made to perfection, in theory, you don't need any security system in front of you to inspect anything, after all, you work in an armored way in your own architecture, but it is Of course, dreaming about it is currently utopia, because we cannot count on the development team always having enough time to develop everything in the right way. Errors do occur, and many errors do occur.

The risk for the company is that the cost of data leakage can cost customers who may simply be afraid to create a register, buy something, or invest their money and not see their return. A risk of an attack, of a successful exploitation, can be a nightmare for any organization in any sector of the economy.

Deadlines, disqualified teams that act on a front, and end up dealing with other fronts in an unknown knowledge domain, can put both the quality of the project delivery at risk, as well as putting the company at risk of data exposure, all as a goal to meet a marketing deadline, which does not understand anything about security, and when the failure explodes, they will blame the technology area.

Take the case of TSE, where votes in the first round of municipal elections had problems with their "supercomputer", but lack information about it, saying only that it was a failure at "Oracle". Let's assume that the application is extremely secure, did you not predict that it could have a DDoS attack? And if so, didn't you think of a firewall layer to simply reject these packets? How about making these packets wait for a response in a firewall disguised as a system, causing it to take 2, 3, 10 seconds to respond?

You see, you have an application that answers port 80, and it processes the data, and responds to it. You can very well put a firewall in front of you on port 80, both for filtering packets and for encapsulating the site's SSL certificate, making an encrypted port-forward and opening only port 443 on the internet.

You receive thousands of SSL requests on port 443, this forces the firewall to perform a handshake and process the SSL header, only then to establish communication, but how about you make an application that before arriving on port 443 does a sequencing of packet sending for doors such as a key scheme, for example:

Fictitious IP address made a request on port 443, but before that, this client application made calls on port 32100, 32200 and 32556 containing a kind of "ping".

Can you consider allowing access to port 443 for all servers that were listed in the port calls above? There, we have a more complex scenario to be attacked, after all, the attacker not only needs to know what is the application's IP address, which port, but also try to find out what are the other ports, and other sequences to get the proper release on the firewall and get through the restrictions.

But who thinks of making a security system in Brazil? Certainly someone who says he wants a more beautiful icon, a color screen, and says with a full chest that "our system doesn’t.

No comments