Re: Top Ten Web App Sec Problems

Mark Curphey <mark@curphey.com> writes:

> In it you can see they say 79% of application reviewed have serious

We haven't made an empirical study, but the findings are pretty consistent with the kinds of things that I've seen. A lot of these problems seems to have to do with a failure to understand the deployment environment.

To a large degree, I think this has to do with people making themselves too specialized. Saying one is a programmer, when one's only real skill is C++ programming on Windoze, for example, is fairly common. Yet that skill is pretty useless without knowledge of things like networks, or some application domain... We have lots of folks developing web applications without any understanding of how the web works, in many cases, failing even to understand such basic issues as HTTP state management, caching, even things like the difference between GET and POST request methods.

My suspicion is that we're seeing so many people who have specialized themselves into uselessness in no small part because of the influx of people who are unwilling to put in the time and effort needed to understand things. Instead, we get people who want to spend as little time as possible ("Teach Yourself Web Programming In Seven Days!"), with the result being that they can give the appearance of functionality, but cannot do much else.

This didn't cause as much difficulty for us when people were using standalone machines that were only used by trusted users. But now we have data coming from anywhere in the world from potentially hostile users. Failing to understand the properties of the environment and to address the risks thus presented just isn't "good enough" anymore.

-- 
Matt Curtin, CISSP, IAM, INTP.  Keywords: Lisp, Unix, Internet, INFOSEC.
Founder, Interhack Corporation +1 614 545 HACK 
http://web.interhack.com/
Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001)