Client Sites

Know thine enemy - The Problems

Submitted by Dave Kinchlea on Mon, 2009/12/14 - 10:44

The problems are at the same time many and few; varied and yet similar
- Many: SQL Injection, XSS, XSRF, Buffer Overrun, Heap Overrun, ScriptJack, default / empty password, bad encryption, bad permissions, uninitialized variables, etc
- Few (one?): unanticipated, untrustworthy data

Much, MUCH easier to design for rather than react to security
- (simple example) GET versus POST -- was always relatively easy to use POST; porting from GET is work
- SQL Injection -- easy to design secure use, hard and error prone to add in after the face
- XSS / XSRF -- more complex example that some legacy apps find infeasible to fix but could have easily avoided (hindsight is always 20/20)

Lax security model -- It is vital that one understands what is and isn't possible to protect against
- PHP access is a wide-open, yet hidden door; Trust must be absolute
- Cleartext is CLEAR TEXT -- there is no security in HTTP
  - Snooping the network
  - Logging access
- Man In The Middle SSL attacks -- invalid security certificates abound and lead to bad habits; this is easy (but relatively expensive) to automate
  - Most CDN use MITM technology; sigh
- Poorly chosen passwords -- it really does matter
  - Insiders are far more dangerous than outsiders
- Some things are REALLY HARD and the people doing it don't understand (or care) and do it anyway
  - Classic example is Encryption -- easy to understand concept but the mathematics involved are VERY difficult; little mistakes in design or coding can be devastating

security

Post new comment

Expert Blogs

New GATE Talks

Member Login