[WEB SECURITY] application attacks

Dennis Hurst dhurst at spidynamics.com
Mon Jul 17 15:40:37 EDT 2006


I'm new to the list so please pardon if I'm repeating something other
people have mentioned.



After being a developer for a long time and talking to developers about
security every day it seems that we (security people) miss a point very
often.  Even in an ideal world where developers knew what SQL Injection,
et al, are and know how to code against them you are still going to have
issues.  Web app security issues are frequently just bugs that have a
security aspect.  They are simple mistakes that people make when they
get in a rush.  I think this will always be the case which is why
testing for security issues is critical.  Just like people test for
functional issues we need to test for security issues.  No one says
"who's wrong?" when they find a simple bug, they just know that
development is a bug prone process and know that the process needs to
support stable software.  It seems to me that blame does not do any good
but improving the process of developing secure software a huge value.

 
Dennis Hurst
dhurst at spidynamics.com
Microsoft Developer Security - MVP

 
 
 

-----Original Message-----
From: AF [mailto:newsalaksa at nxtg.net] 
Sent: Monday, July 17, 2006 3:26 PM
To: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] application attacks


Hi there!

I think the mistake is in this sentence: 

> Now, every developer know how to 
> protect their web applications against application attacks such as SQL

> Injection,XSS, HTTP smuggling, and others. So could someone give me
some
>  clear image about that. What's wrong?

The question is "Who's wrong ?"
The answer is : You. : ) 

That's a fact: many web developpers still don't know how to implement
security 
principles. Many don't even know security principles exist!

So when it comes to sql injection, xss, splitting, applogic, and so
on... well... there's
still a lot of work ahead of us to do. This applies to almost every
industry! 

Pentesting, for fun, but also teaching and spreading the information
around us, 
as much as we can. That's it. That's what we can (have to?) do.

@ntoine



------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list