WebApp Sec mailing list archives
Re: Top Ten Web App Sec Problems
From: Matt Curtin <cmcurtin () interhack net>
Date: 30 Nov 2002 17:50:56 -0500
Mark Curphey <mark () curphey com> writes:
In it you can see they say 79% of application reviewed have serious session management flaws, and 73% have serious paramater manilpulation flaws. Is this accurate in your opinion ?
We haven't made an empirical study, but the findings are pretty consistent with the kinds of things that I've seen. A lot of these problems seems to have to do with a failure to understand the deployment environment. To a large degree, I think this has to do with people making themselves too specialized. Saying one is a programmer, when one's only real skill is C++ programming on Windoze, for example, is fairly common. Yet that skill is pretty useless without knowledge of things like networks, or some application domain... We have lots of folks developing web applications without any understanding of how the web works, in many cases, failing even to understand such basic issues as HTTP state management, caching, even things like the difference between GET and POST request methods. My suspicion is that we're seeing so many people who have specialized themselves into uselessness in no small part because of the influx of people who are unwilling to put in the time and effort needed to understand things. Instead, we get people who want to spend as little time as possible ("Teach Yourself Web Programming In Seven Days!"), with the result being that they can give the appearance of functionality, but cannot do much else. This didn't cause as much difficulty for us when people were using standalone machines that were only used by trusted users. But now we have data coming from anywhere in the world from potentially hostile users. Failing to understand the properties of the environment and to address the risks thus presented just isn't "good enough" anymore. -- Matt Curtin, CISSP, IAM, INTP. Keywords: Lisp, Unix, Internet, INFOSEC. Founder, Interhack Corporation +1 614 545 HACK http://web.interhack.com/ Author of /Developing Trust: Online Privacy and Security/ (Apress, 2001)
Current thread:
- Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems Matt Curtin (Nov 30)
- Re: Top Ten Web App Sec Problems bt (Nov 30)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Andrew Jaquith (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Russell (Dec 02)
- Re: Top Ten Web App Sec Problems Mark Curphey (Nov 30)
- Re: Top Ten Web App Sec Problems zeno (Nov 30)
- <Possible follow-ups>
- FW: Top Ten Web App Sec Problems Keith T. Morgan (Dec 02)
- Re: Top Ten Web App Sec Problems Steven M. Christey (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)
- Re: Top Ten Web App Sec Problems Kevin Spett (Dec 02)
- Re: Top Ten Web App Sec Problems Alex Lambert (Dec 02)
- Re: Top Ten Web App Sec Problems Marc Slemko (Dec 02)
- RE: Top Ten Web App Sec Problems Richard M. Smith (Dec 02)