Wednesday, April 6, 2016

New Rad Studio Coming - Security?

On April 21st & 22nd there will be a Webinar that goes over the Highlights of RAD Studio.

 Embarcadero presenters will discuss among other things the following topics:
  •  A new installation tool with GetIt technology and the choice of what you want to install 
  •  Extended support for Bluetooth LE on Windows 10 and a framework for IoT components 
  •  FireUI App Preview - Preview your forms on any target device (desktop or mobile)
It looks interesting,  I have had many complaints with installer over the years for taking up too much disk space.   I am also working on IoT devices (usually building them) every week now.   So I am excited to any improvements in this area. 

I also wonder how much of it will have improvements in the security areas that I have concerns with.  Granted most of my concerns deal with the websites more than the product.   I suspect I won't get the information I want in this webinar, but will only come through a review of the product.  

I started contacting Embarcadero regarding several specific security issues on  Aug 30,  2015 right before the Idera purchase.    Some of these were addressed: for example the community toolbar in Rad Studio no longer uses an unencrypted session when you log in.    AppAnalytics uses HTTPS instead of HTTP.

But nothing appeared to change on the websites then on March 12th Embacardero website was hacked,  After a couple of "I told you so" emails, problems were escalated.    I produced a multi page security report detailing issues with every Embarcadero website.   This finally generated some action.    I had a very good call with Atanas Popov the General Manager of Embarcdero's Developer Tools we discussed how they can improve security on both the websites and products.      I now know they are listening, I am now watching to see if the listening turns to action.     

I love Delphi it's a great tool I want to see it succeed and has had a very positive impact on my career.  Given that it's been really difficult to be positive for the past several months, so I have chosen instead to be quiet, but I believe it's time to be publicly vocal.    In my job, I have to deal with security concerns all the time.   My employer is constantly under attack.   So harding systems and software is always a concern.    So I am required to demand that from my from the vendors we use.  If a vendor fails to take security seriously it has a huge negative impact my ability to use that vendor.

So here is to hoping we get some greater transparency and action on security issues.     

6 comments:

  1. I love Delphi it's a great tool I want to see it succeed and has had a very positive impact on my career - Me too.

    ReplyDelete
  2. I am also in a similar position. I have a couple of commercial products written in Delphi and I am concerned about the future of the tool.

    ReplyDelete
  3. The same concerns with the tool have been apparent since 1995. Yet its still here. There's a lot of FUD about Delphi, yet it still provides (IMHO) better cross platform support, faster binary operation and better developer productivity than almost any other tool out there. When you add all of this up, most of the complaints are faceless compared with what the world would look like without Delphi. So I would suggest objectivity here. You are all developing in the right tool and it has only gotten way stronger in the past 5 years than before that.

    ReplyDelete
    Replies
    1. Yep FUD, it's been earned. 221 days since I notified of them security issues. Most issues have not been dealt with. If I was a security researcher I would have published my findings after 90 days. Instead I waited this long to publish the fact that they exist. Security researches would have wanted a bug bounty payment I just want them to fix the problems. It's clear I was ignored when it comes to the website. I don't trust embarcadero anymore; it's going to take some highly visible effort to regain that trust.

      I am required to write security applications. How can I use a product to develop applications when ALL of the website they have developed are not secure? You need to trust your technology vendors, but you should still verify that. When I verified it I was surprised, then hoped for a fix, gave up, and now publicly complain, with small measure of hope.

      Delete
    2. This comment has been removed by the author.

      Delete
  4. I started to write about the lack of security in Delphi since they released the new Datasnap back in 2010 (and it's a design issue, not an implementation one). They repeated the same mistakes in their other remoting frameworks. Delphi does not have wrappers for OS authentication/encryption library, and because noone at Embarcadero took care of the paperwork to export software with encryption (it's really just some paperwork...) they delivered only known unsafe algorithms (RSA with short keys) and totally unknown ones ("PC1") they found for free googling. Did the RTL/VCL/etc. ever undergo a full security audit? I'm not sure all functions are safe. What about Indy? Today security is no longer optional, almost every day you see someone hacked and important data stolen. Still Embarcadero may listen, but doesn't act, or acts very slowly. How long could it afford it?

    ReplyDelete