RETURN $ecure;

Security, Technology and Life

The Murky Science of Web Application Security

with 2 comments

Jeremiah had a talk with Simson Garfinkel about Web Application Security recently. You can read Jeremiah’s post here and the full article here.

There is nothing new at all from a security perspective in this article, but it really lives up to it’s name as an introduction to Web App Sec. It points out a few things we already knew, such as the scary fact that up to 80 percent of all websites suffer from some sort of vulnerability. The ones that don’t are mostly static html sites and have no complex backend, ‘brochure-ware’ as the article calls it.

It also elaborates on some of the issues that must be faced, such as a need for secure coding. It’s pretty bad practice in most cases,(but not all) to just slap on a WAF and hope for the best. As this quote points out..

 Yes, it would be nice to eliminate these well-known bugs with better coding practices. But we live in the real world. It’s better to look for the bugs and fix them than to simply cross your fingers and hope that they aren’t there.

So all in all, if you’re a frustrated web app sec guy, this is a great article to show the higher ups. Murky indeed. As RSnake would say, clear as mud?

Advertisements

Written by Rodney G

05/14/2007 at 11:00 am

Posted in Uncategorized

Tagged with

2 Responses

Subscribe to comments with RSS.

  1. It’s pretty much impossible to have a totally secure site anymore. Even so called “hacker safe” sites have some sort of vulnerability that can be exploited, no matter what the coders do. It’s more a matter of coding in a way to stop as many of the basic attacks in order to keep the riff-raff out, but a very good hacker is still going to get in if they really want to.

    Loki

    05/14/2007 at 11:14 am

  2. Fucking webapps. Yet another reason to a pile of many not to use webapps – why bother sending information to another country, and another server for stuff you can easily do on your own computer? I understand teh limited usefulness if you don’t have access to your own computer but otherwise it is a complete waste of time and resources

    Dankoozy

    05/22/2007 at 11:38 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: