WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: Matt Curtin <cmcurtin () interhack net>
Date: 30 Nov 2002 17:50:56 -0500
Mark Curphey <mark () curphey com> writes:
In it you can see they say 79% of application reviewed have serious session management flaws, and 73% have serious paramater manilpulation flaws. Is this accurate in your opinion ?
We haven't made an empirical study, but the findings are pretty
consistent with the kinds of things that I've seen. A lot of these
problems seems to have to do with a failure to understand the
deployment environment.
To a large degree, I think this has to do with people making
themselves too specialized. Saying one is a programmer, when one's
only real skill is C++ programming on Windoze, for example, is fairly
common. Yet that skill is pretty useless without knowledge of things
like networks, or some application domain... We have lots of folks
developing web applications without any understanding of how the web
works, in many cases, failing even to understand such basic issues as
HTTP state management, caching, even things like the difference
between GET and POST request methods.
My suspicion is that we're seeing so many people who have specialized
themselves into uselessness in no small part because of the influx of
people who are unwilling to put in the time and effort needed to
understand things. Instead, we get people who want to spend as little
time as possible ("Teach Yourself Web Programming In Seven Days!"),
with the result being that they can give the appearance of
functionality, but cannot do much else.
This didn't cause as much difficulty for us when people were using
standalone machines that were only used by trusted users. But now we
have data coming from anywhere in the world from potentially hostile
users. Failing to understand the properties of the environment and to
address the risks thus presented just isn't "good enough" anymore.
--
Matt Curtin, CISSP, IAM, INTP. Keywords: Lisp, Unix, Internet, INFOSEC.
Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/
Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001)
Current thread:
- Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- <Possible follow-ups>
- FW: Top Ten Web App Sec Problems Keith T. Morgan (Dec 02)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)