Multiple Fortify: Twitter worms shows need to incorporate security into program code development
April 2009 by Fortify Software
The fact that Twitter has been hit by as many as four worms over the Easter weekend highlights the need to include the code audit and security process in the software development cycle, says Fortify Software, the application vulnerability specialist.
"Media reports have made much about the author of what appears to be the first generation of Twitter worms, but they appear to have missed the point that these are actually basic cross-site scripting (XSS) security problems," said Barmak Meftah, Fortify Software’s senior vice president of products and technology.
"The situation acts as yet another reminder that code vulnerability exploitation is now sufficiently high up the hacker agenda to warrant the inclusion of code auditing in the software planning and development process," he added.
According to Meftah, the axiom of a company taking its security seriously is no longer proven if the firm fixes problems after they take place.
This Twitter hack, he says, is a classic example of how poor coding enables cracking situations that should never have been allowed to happen in the first place.
There is, he explained, no excuse for poor coding, even with free software.
"Twitter claims they’ve solved it, but this hard to believe. If you can find 4 vulnerabilities in 48 hours, this indicates a bigger problem. This highlights a common issue—developers rapidly writing code with minimal auditing and few security checks," added Meftah.
"When it comes to security, or rather, the lack of it, Web 2.0 has become a deja vu for the early days of the Internet," he said.