[WEB SECURITY] application attacks

Schmidt, Albert E AES at ola.state.md.us
Mon Jul 17 15:54:39 EDT 2006

I think it would be impossible or extremely difficult for any individual
or group of individuals to write a web application without
vulnerabilities just by their know ledge alone.  When ever I audit a web
application, I test to see if the agency performs web application scans
as part of their development cycle (prior to moving a web application
into production).  If they do not, I make a formal recommendation that
they do.  The state of Maryland's Department of Budget and Management's
Systems Development Life Cycle requires agencies to scan applications
for vulnerabilities (see excerpt below).  


Al S.



Excerpt: Systems Development Life Cycle (SDLC) - Volume 2, SDLC Phases,
Dated July 2002 

Source: Maryland Department of Budget and Management







The objective of this phase is to prove that the developed system
satisfies the requirements defined in the FRD. Another purpose is to
perform an integrated system test function as specified by the design
parameters. This function shall be the responsibility of the system
testers and will be heavily supported by the user participants. 


Prerequisites of this phase are the FRD, project management plan and
schedule, system baseline software and documents, and a test plan
containing all test requirements and schedules. 


Several types of tests will be conducted in this phase. First, subsystem
integration tests shall be executed and evaluated by the development
team to prove that the program components integrate properly into the
subsystems and that the subsystems integrate properly into an
application. Next, the testing team conducts and evaluates system tests
to ensure the developed system meets all technical requirements,
including performance requirements. Next, the testing team and the
Security Program Manager conduct security tests to validate that the
access and data security requirements are met. Finally, users
participate in acceptance testing to confirm that the developed system
meets all user requirements as stated in the FRD. Acceptance testing
shall be done in a simulated "real" user environment with the users
using simulated or real target platforms and infrastructures. 


2.3 Conduct Security Testing 

The test and evaluation team will again create or load the test
database(s) and execute security (penetration) test(s). All tests will
be documented, similar to those above. Failed components will be
migrated back to the development phase for rework, and passed components
will be migrated ahead for acceptance testing. 



-----Original Message-----
From: Dennis Hurst [mailto:dhurst at spidynamics.com] 
Sent: Monday, July 17, 2006 3:41 PM
To: websecurity at webappsec.org
Subject: RE: [WEB SECURITY] application attacks


I'm new to the list so please pardon if I'm repeating something other

people have mentioned.




After being a developer for a long time and talking to developers about

security every day it seems that we (security people) miss a point very

often.  Even in an ideal world where developers knew what SQL Injection,

et al, are and know how to code against them you are still going to have

issues.  Web app security issues are frequently just bugs that have a

security aspect.  They are simple mistakes that people make when they

get in a rush.  I think this will always be the case which is why

testing for security issues is critical.  Just like people test for

functional issues we need to test for security issues.  No one says

"who's wrong?" when they find a simple bug, they just know that

development is a bug prone process and know that the process needs to

support stable software.  It seems to me that blame does not do any good

but improving the process of developing secure software a huge value.



Dennis Hurst

dhurst at spidynamics.com

Microsoft Developer Security - MVP






-----Original Message-----

From: AF [mailto:newsalaksa at nxtg.net] 

Sent: Monday, July 17, 2006 3:26 PM

To: websecurity at webappsec.org

Subject: Re: [WEB SECURITY] application attacks



Hi there!


I think the mistake is in this sentence: 


> Now, every developer know how to 

> protect their web applications against application attacks such as SQL


> Injection,XSS, HTTP smuggling, and others. So could someone give me


>  clear image about that. What's wrong?


The question is "Who's wrong ?"

The answer is : You. : ) 


That's a fact: many web developpers still don't know how to implement


principles. Many don't even know security principles exist!


So when it comes to sql injection, xss, splitting, applogic, and so

on... well... there's

still a lot of work ahead of us to do. This applies to almost every



Pentesting, for fun, but also teaching and spreading the information

around us, 

as much as we can. That's it. That's what we can (have to?) do.








The Web Security Mailing List: 



The Web Security Mailing List Archives: 


http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




The Web Security Mailing List: 



The Web Security Mailing List Archives: 


http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20060717/1d303b64/attachment.html>

More information about the websecurity mailing list