Fallacies of Distributed Computing: 4. The network is secure
The fallacies of distributed computing are a set of assertions describing false assumptions made about distributed systems.
The 8 fallacies are:
- The network is reliable
- Latency is zero
- Bandwidth is infinite
- The network is secure
- Topology doesn’t change
- There is one administrator
- Transport cost is zero
- The network is homogeneous
4. The network is secure
Your ecommerce website is accessible over HTTPS only, you rest easy knowing that all communication between your customers and your website is securely encrypted.
However, some of the scripts embedded in your website for gathering customer analytics are using HTTP. Also, that third party service you call privately from your own API to validate customer addresses works over HTTP because HTTPS was judged to be “too expensive” in a dim and distant past.
In April 2014 the Heartbleed vulnerability was made public. The SSL standard includes a heartbeat option, which allows one party communicating over an SSL connection to send a short message to the other party to check if they are available.
Heartbleed was a buffer over-read exploit on OpenSSL servers - by sending malformed hearbeat requests that weren’t validated by OpenSSL using bounds-checking, attackers were able to trick OpenSSL into returning random bits of memory from the server - even for failed connections. Because these bits of memory were often near the code authenticating users, it was possible to obtain authenticated user data just by pinging the server.
A cursory browse of the have i been pwned? website reveals millions of user details that have been exposed by attackers exploiting vulnerabilities like Heartbleed, poorly configured application stacks, unsecured databases, and so on.
The network is not secure.
Security should be built into the DNA of a system, not bolted onto it. As a quality attribute, it should be considered at the network, infrastructure, and application layers.
Data produced and consumed by the system should be identified and classified according to its nature (e.g. PII) and associated risk of exposure.
The Open Web Application Security Project (OWASP) maintain a top ten list of web application security risks. These can be considered as part of a broader threat modeling practice and (in some cases) evaluated on an automated basis.
Ultimately, the only truly secure system is one which cannot be observed or interacted with in any way by human or other means. As such, ensuring the security of a system based on identified risks and their probability while still meeting business goals in a timely fashion is frequently a non-trivial exercise.