So, you suck at web security… by riahmatic
-
08:42:07 pm on February 4, 2008 | # |
Looking at the blog’s tag list so far, it seems my choice of topic has already become heavily fragmented. But I must return for a moment to the original reason I wanted to start this blog: security. Or more specifically, web application security. Until January of 2008, I suspect I was like most web developers with regards to security. (Perhaps I’m wrong about that and I just happen to be more naive than others, but I wouldn’t doubt there are still others who are more naive than I would appear to be.)
But anyway, sure, I hash my passwords with a salt before storing in the database, and yes, I make sure to check for quote marks in SQL query parameters. These are things we all do because it is common practice to do so. Every beginner’s tutorial and guide mentions these things, so we have grown up performing these actions to secure our code. But that doesn’t mean we understand the real dangers behind it. And that in turn means we will likely not notice a closely related but slightly different attack vector that could exploit our code, not to mention other vulnerabilities that aren’t ever mentioned at all except in security related guides (CSRF? XSS??).
The only reason I stumbled into actual web security consciousness was because of some catchy headline in the search results for a totally unrelated query. Gareth’s post about JavaScript hacking immediately appealed to the coder in me. The strange looking mangling of the language was oddly appealing. “How the heck does that still run!”, I thought. It was only after exploring the blog a bit more and the others it linked to did the situation begin to sink in. This was a whole other face of web applications I had never known about. It’s shocking that such a fundamental part had totally escaped me for so long (perhaps some people are just lazy, but I plead ignorance).
“if today’s malware mostly runs on Windows because it’s the commonest executable platform, tomorrow’s will likely run on the Web, for the very same reason. Because, like it or not, Web is already a huge executable platform, and we should start thinking at it this way, from a security perspective.” Giorgio Maone
Where security used to be a reactionary or routine action for me, it was a state of mind for these people. We often hear the cliche of “thinking like a hacker”, but really, security is only valued enough if you are always in that state of mind. They trust nothing! This is something that doesn’t happen quickly, either. Despite hours of reading papers and discussions, my first reaction to seeing a new technology is still “Wow, that would be a cool new feature to implement for users!” Wrong! The security researcher has already thought of several ways it could possibly be vulnerable and is now working out the details.
Once you make the transition in your state of mind, you can begin to make more informed decisions on where to compromise features for security (ehh, now I’m starting to sound like my professor). Of course, not everyone has the capability to keep up with both worlds (that’s where the experts can make their dough), but an understanding of the dangers should at least be mandatory. The battle will always be features and functionality vs. security and privacy, but you should at least know what’s at stake before picking a side (or letting the hacker pick for you).
So, I suppose my reason for starting this blog is to document one developers transition from pure developer to security conscious developer in hopes that someone else might read it and gain something for them self. At my current level of experience, this is probably the best contribution I can give to the field right now. I haven’t seen many blogs easy to digest for beginners of webappsec like me, so I hope this one may help in that regard. Thanks for reading.
(Of course, I’m still going to post other things I come up with or find interesting, but emphasis is on webappsec.)