Ethics aside, my real heartburn is why a SOCIAL MEDIA company was asked to deliver this service.
Facebook allegedly did nothing to verify the security of applications it was paid tens of thousands of dollars to review. Putting Facebook’s deceptive and ethically-questionable behavior aside, the core problem remains that we shouldn't accept or use applications that haven't been security tested or built by a team that can demonstrate its ability to write secure code. We as consumers are constantly demanding “proof” from makers of toys, drug/car manufactures, etc. that those products are built with safety in mind – some are even regulated by an industry body such as the FDA. While I agree the we need to maintain a higher bar when it comes to personal safety, why is there virtually no “bar” with respect to manufacturers of software applications?
Organizations that sell software applications, or verify their security (which Facebook was ignorantly asked to do), ought to show some kind of proof that they have at least adopted some (even if they’re) informal “standards” for application security. I suspect they have not, and now Facebook is subject to 20 years of inspections from the FTC because they either didn’t have the time, appreciation, or expertise (which I suspect is the case) to assess the security of applications being deployed on their web site. What a waste of time and money (both Facebook's and US tax payers.) I’m not sure if Facebook or Google is the worse offender -- Google getting fined for by-passing Safari protections this week – the point is that individuals and organizations who write the software are the ones who should be responsible (and accountable for its security.)
I applaud the statement Facebook made regarding the idea of verification to apply to all of the applications on the Facebook platform; however, now there is lack of trust that they'll actually do it.
Better yet, take the control out of the hands of the app stores like Apple, Google, and Facebook. We need an INDEPENDENT certification program for software security (similar to the Certified for Windows program) … and doing so at an individual level vs. an app level creates leverage: developers write many apps.
Unfortunately, we continue to feel the pain of the "the university problem." Simply put, schools aren't teaching software developers how to write secure code (despite offering degrees in Computer Science and Software Engineering). As an industry, we have to educate ourselves and we’re starting to offer some great resources:
- OWASP's checklists and secure coding assets (www.owasp.org)
- ISSECO, a European-based non-profit who has certified hundreds of software developers. They’ve got a solid certification and training program (see: http://www.isseco.org)
- MS SDL web assets (see: www.microsoft.com/security/sdl)
Read. Learn. Certify.