Caveat: This is straight from the “totally irresponsible unfounded speculation” department. I have not seen any evidence that would indicate any sort of hostile intent behind the trades discussed in this post. However, these trades do raise some important application security issues.
Apparently NASDAQ is backing out some very late-day trades for Google (NASDAQ:GOOG) that were for amounts all over the map (like $0.01/share). So far the official explanation was that those orders “were triggered by orders routed from another exchange.”
When I read that I thought of two things: input validation and threat modeling:
- Input Validation – It seems to me that when a stock that used to trade for $400.00/share suddenly has trades in the $0.01/share range that this should trigger some sort of input validation routine to flag the transaction as suspect and force it to endure more scrutiny before actually executing. Now, everyone noticed that these trades were strange after the fact, but why did they even go through in the first place? Validating inputs to make sure of length, type and so on is important. But validating inputs against business logic constraints is also critical.
- Threat Modeling – Inter-exchange trading is a very complicated thing. What causes trades from one exchange to be trusted by another? 99.9% of the developers out there aren’t building inter-exchange trading systems, but the lesson is universal. Too many systems we review fail to acknowledge trust boundaries between non-standard external interactors and internal processes. (Most) everyone now acknowledges that system users should be considered untrusted, but we see a lot of systems that implicitly trust data coming back from 3rd party web services, payment gateways, and other clearing houses. This is a big mistake – if you don’t control the system in question it is most likely on the other side of a trust boundary. Scrutinize the incoming data accordingly.
Presumably this will all get sorted out and it will be interesting to see how much more information about this incident is released to the public.
dan _at_ denimgroup.com