Home page logo

webappsec logo WebApp Sec mailing list archives

RE: The Right Approach to Web Developer Education
From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Wed, 30 Jun 2004 09:42:27 -0400

In college, we were taught - 'A Lazy programmer is a good programmer'. I believe this adage is very reflective of the 
way most of us code. How many of us don't strongly type our parameters in web based apps - especially since many of the 
APIs and languages we use don't require it. Take the simplest form of SQL injection - I have an integer parameter 
called product_id. In the DB, it's an int, but because it's passed as part of a String to a DB access layer, I don't 
cast it to an int ever - I simply concatenate the param with the rest of my SQL statement and done.

Many of us practice what I like to call 'Negative' or 'Passive' security, based on the mentality - if it ain't broke, 
don't fix it. This is the inherent problem. We need to take a 'Positive' or 'Active' approach to security, even before 
it becomes known to us that having taken the opposite path would have led to disaster.

Take the IIS bug discussion going on in a parallel thread. Some of the major exploits in IIS came about because people 
installed optional components on production servers that were buggy. We all know some of the issues with the IISSamples 
application that, by default, was part of IIS. But why would anyone install sample apps on a production server to begin 
with? Why waste disk space on something you don't need.

What programming really needs is an attitude change - parameters should only accept data that their supposed to accept, 
period. That change alone, although will initially cost more time and effort to retro-program, would save all of us 
from untold security headaches.

My $0.02

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]