This globally neutral article in "Application Development Trends", provides some interesting insights about security in software, as reaction on the recent security exploits discovered in Google's Chrome browser. Below two high-lights:
Security flaws tend to be discoverd more in popular products
Google's security measures may become a concern at the enterprise as Chrome's use becomes more widespread, according to Jason Miller, security data team manager for St. Paul, Minn.-based Shavlik Technologies.
"At one time, many people would state that the only way to be safe surfing the Internet was to use a non-Microsoft product," Miller said. "As Firefox gained in popularity and usage, evil hackers found security vulnerabilities in the product and took advantage of them. The evil hackers, in most cases, will focus their efforts on a widely used product. This could be another product that administrators lose sleep over with newly discovered vulnerabilities."
Microsoft 's security approach of a decade ago similar to Google's security today?
"As was the case a decade ago at Microsoft, inside of Google, marketing still appears to carry a much bigger stick than the security folks do," said Randy Abrams, director of technical education at San Diego-based security software company ESET. "This makes it impossible to place the proper emphasis on security. As a result, Google will be responding to flaws much more often than proactively preventing vulnerabilities."
Some security vulnerabilities (in Java's Spring Framework) not correctable flaws.
Another article in "Application Development Trends" handles about security vulnerabilities found in the Java Spring Framework. An interesting detail is that these flaws are due to design that does not take security into account, hence are not correctable.
The Ounce Labs Advanced Research Team (ART) has documented two vulnerabilities that could affect Java Web apps utilizing the Spring Framework. Called "ModelView Injection" and "Data Submission to Non-Editable Fields," these vulnerabilities have the potential to allow attackers to subvert the expected application logic and gain control of an app., according to the ART documentation. That control could provide access to any data, credentials or keys held in the application.
What is most troubling about these vulnerabilities, according to Berg, is that they are not part of some correctable flaw within the framework, but a design issue. "[It's] a design issue that does not take security into account," Berg said. "Any organization utilizing this framework should fully understand the security implications of these design flaws and model their business processes and generate abuse cases to be sure that they are not being exploited."