.:Computer Defense:.

So I'm in cold (well not really) Northern Ontario attending a wedding this weekend and while at a rehearsal party this evening I got to talking shop with a semi-distant relative... He's an old hand in the IT world, having graduated Computer Science at university long before I was born and having worked with Unix and in the programming world... These days he's running his own company... his backend is custom software... This got me thinking about custom applications...

So instead of designing something you go out and you purchase a license.... Let's use something that gets a lot of public use.. Shopping Cart software... I've seen plenty of places that use custom shopping cart software... There are plenty of others that purchase some of the more well known software. A quick Google search brings up plenty of available solutions... However, as you browser smaller "indy" sites, they sometimes tend to design their own very basic systems...

Pros and Cons? In-House shopping carts are developed for a certain purpose.... "commercial" (we'll include OSS for the purpose of this discussion.... essentially all "premade" solutions) shopping carts are more generic.... designed to fit many different needs with little customization. In-House shopping cards may not interact well with Merchant Accounts, Credit Card vendors, or Online Vendors (such as PayPal and WorldPay).. commercial solutions generally do... These are little differences that push many people towards the commercial software.... but what would this be without a security discussion..

So.... Security.... let's break it down to advantages of each..

In-House Shopping Cart

• Other people don't easily have access to the source (genreally ASP or PHP)
• You don't have to write in the advanced functionality that sometimes contains the more common flaws, you can stay fairly basic... eliminating flaws that occur due to complexity.
• You know exactly what everything does... Nothing should be unexpected
• You can fix problems immediately, you don't need to rely on a vendor supplied patch.
• If you know MySQL you can use it... if you know PostgreSQL you can use it... You aren't stuck with the backend that someone else picked... you can use the one you are comfortable with which usually means something you can secure.(Secure better than software you are unfamiliar with anyways)

"Commercial" Shopping Cart

• Plenty of users means plenty of opportunity for bugs to be found, which means changes occur more frequently and problems are stopped before malicious people use them.
• You can compare products and pick one with a strong background of reliability and security... It gives you a stronger starting point.
• The developers are generally strong programmers with experience (you'll have to do your research to prove this one)... The better the programmer, generally the better the code which generally translates to "more secure code".

You may have noticed a pattern... If haven't... look again.. I've italicized certain words as I went through that little bit....

The problem is we can only deal in generalities... we can't say for certain... Looking at those lists it is a difficult decision.... "Stronger Developers on a known to be secure product with plenty of opportunities to fix bugs and flaws before they occur" or "Software that can be patched immediately, that you know the ins and outs of and that is very tailored to your application with none of that unneeded advanced technology." Both of those are appealing... but I tend to lean more towards commercial applications... you may have to wait a bit for the fix, but there is generally a mitigation possible as soon as the problem is found (if you're willing to apply it)...
That being said... the more I look at this, the more I see valid reason for developing in-house software.... The ability to tailor it to your needs, wrap it to your environment and know the ins and outs are all very tempting... the problems I see are two-fold..

1. Even though people won't easily have access to the source, they don't necessarily need it... XSS and SQL Injection are generally fairly simple to find you don't really need the source... and look away from ASP/PHP solutions... take a look at desktop applications.. how often are flaws found via fuzzing, toying or even just day to day usage and making a simple mistake that reveals a cool flaw. This is really just security through obscurity... something that I'm not a fan of.
2. Other people run the "commercial" software... I think this is key... Yeah your site may be pinched via some unknown 0-day but that can happen with custom software as well... A generic XSS/SQL Inject tool... a Protocol fuzzer.... someone who stumbled upon your site and wanted to test the security of it... However lets say you develop "CDO Shopping Cart"... You're 100% of the user base... However, if you take something like x-cart, plenty of people are using it... you may be 0.01% of the user base... The odds are someone else will be attacked instead of you.... Yes the odds also say that it's more likely someone will look for a flaw in that software but personally thats a risk I'd be willing to take....

It's an interesting concept either way.... Sometimes custom applications are definately the answer.... othertimes I think the commercial apps are a better bet... Then you actually get into breaking down "commercial" applications... You have Free/OSS and true Commercial... We could have a whole debate over the patch cycles for these and we'd never have a winner.... We could also compare small companies that charge an arm and a leg for nothing special (CreativeManagerPro comes to mind) compared to say a large company solution (Let's say Microsoft CRM + Sharepoint w/ Exchange and IIS) which generally costs less and provides more support but may not be as out of the box tailored as you like it.... Which do you chose then.... I say Microsoft... their security is improving... you know they're good for a regular patch cycle.... but who's heard of the alternative or what they do...

Security is a tricky business... but I think ultimately you need the proper mix of in-house software and "commercial" software in order to keep an operation going... neither is going to be perfect... both may serve you well... I would lean towards more "commercial" with a spattering of in-house but how does everyone else feel? Is In-House software the spawn of Satan.... or is it God's improvement to your enterprise?

Peace,
HT