Following the news that Facebook has awarded its highest bug bounty of $33500, Amichai Shulman, CTO Imperva writes that this flaw discovery should serve as a warning sign:
“Facebook is one of the companies that probably have invested the most in their application security over the past years. The fact that critical vulnerabilities still pop up in their application should serve as a warning sign to anyone who believes that writing vulnerability free applications is possible.
“Remote execution flaws are a tidal phenomenon. Usually people find a way to abuse a specific infrastructure (in this case OpenID) and then suddenly we see many flaws being reported in different places that use this infrastructure. Are critical flaws hard to find? Sadly, the answer is no.
“Re the 4 hour time-to-fix: maybe Facebook has enough talent to pull this off, maybe the functionality in question was determined to not form part of any critical application path so the risk of breaking it was low, and maybe whoever took the decision to deploy a patch over all servers within 4 hours is extremely bold. For most organizations out there, the timeframe required to analyze a vulnerability report, create a fix, test it, and deploy it in production is orders of magnitude longer. These organizations must have a solution in place that allows vulnerability mitigation outside the application code – namely a web application firewall (WAF).”