mailing list archives
RE: The Right Approach to Web Developer Education
From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Wed, 30 Jun 2004 09:42:27 -0400
In college, we were taught - 'A Lazy programmer is a good programmer'. I believe this adage is very reflective of the
way most of us code. How many of us don't strongly type our parameters in web based apps - especially since many of the
APIs and languages we use don't require it. Take the simplest form of SQL injection - I have an integer parameter
called product_id. In the DB, it's an int, but because it's passed as part of a String to a DB access layer, I don't
cast it to an int ever - I simply concatenate the param with the rest of my SQL statement and done.
Many of us practice what I like to call 'Negative' or 'Passive' security, based on the mentality - if it ain't broke,
don't fix it. This is the inherent problem. We need to take a 'Positive' or 'Active' approach to security, even before
it becomes known to us that having taken the opposite path would have led to disaster.
Take the IIS bug discussion going on in a parallel thread. Some of the major exploits in IIS came about because people
installed optional components on production servers that were buggy. We all know some of the issues with the IISSamples
application that, by default, was part of IIS. But why would anyone install sample apps on a production server to begin
with? Why waste disk space on something you don't need.
What programming really needs is an attitude change - parameters should only accept data that their supposed to accept,
period. That change alone, although will initially cost more time and effort to retro-program, would save all of us
from untold security headaches.