The vulnerability of AT&T's servers suggests that five years after Paris Hilton gave T-Mobile a black eye for a loosely spec'd Web-based account recovery feature, carriers are still playing fast and loose with their public-facing applications. Back in 2005, when voicemail and contacts were all that were at risk, maybe that was OK (actually, it wasn't). In 2010, many of us use our phones and mobile devices for more sensitive transactions. They hold personally identifiable and financial information, and may well be used to access corporate assets such as email, critical applications, and files.
In short: The security of those public-facing applications matters a lot more in 2010. Plenty of security Cassandras have been talking about this problem for a long time. Their pleas have gotten more urgent as agile development methods and the gold rush on SaaS and hosted applications have driven coding standards even lower. The 451 Group's research director, Josh Corman, has been part of a group leading a charge for more "rugged" software development of the kind that would have ferreted out the gaping hole in AT&T's application code, while folks like Jeremiah Grossman at WhiteHat Security have been talking about the systemic problems caused by weak application security for, well, years.
Has much changed? Yes and no. On the one hand, hacks like this AT&T incident suggest that many firms are radically underinvesting in security. AT&T, just as an example, can thank the iPhone for the lion's share of its new subscribers -- as much as 73 percent as of the first quarter of 2009, at least according to one report. That translates into as much as $60 million a month in new revenue for the carrier.
Peeling off an extra 1 or 2 percent of that new revenue to really vet the application code (public-facing and otherwise) used to manage the accounts would buy the firm a lot of security smarts. A slew of firms that can help companies vet the security of applications -- Web-based and otherwise -- have sprung up in recent years, including Armorize, Cenzic, Veracode, and White Hat.
But most organizations don't use these services or other techniques that would prevent the kind of simple hacks that AT&T had this week. One reason is that there are still few incentives for enterprises or software vendors to prioritize secure code over timely code. Perhaps, if nothing else, the AT&T hack may provide some impetus for change.
Paul F. Roberts is a senior analyst covering enterprise security at The 451 Group.
This article, "AT&T's iPad security fumble is just the tip of the iceberg," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.