The spring is here (and web security)

The bicycling season is now officially open for me. I aim at going to work by bike for half of the year (April – September). Although the first days are filled with pain and fatigue, the positive effects are coming already. The dose of oxygen before work is a great performance booster, and of no less importance is the relaxing ride home after-work. What a great way to forget your stress!
Now that work was mentioned: I had an interesting 7-hour meeting on application security with a nice professional group of people from various companies. While the basics of web application security are rather simple, they're surprisingly badly known to most developers. The dangers of XSS are not fully realized, and most people simply don't understand the huge risks involved in SQL injections. There is a tremendous need for more readable, compact information. Framework support is necessary but not sufficient by itself.
Web security in a nutshell: Most vulnerabilities are the programmer's fault. A trivial slip causes catastrophes. You cannot buy a product to fix what the coder has broken. The only way to really improve things is by boosting the security skills of the organization. Learning is mandatory. Those working with me are thus forewarned. :-)

March 31, 2005 В· Jouni Heikniemi В· Comments Closed
Posted in: General