«Web application security is at its worst : we almost always find flaws, this shows that developers did not take security aspects into account. And this may come from world class software companies (HSC) »
« For far too many development professionals, Web application security only consists of producing applications that are functional and stable, not building hacker protection into the code or checking for SQL injection vulnerabilities (Spi Dynamics) »
Web protocols are not secure by default. But web application developers could strongly improve security standards with good coding principles. As M. Andrews and J. Whittaker mention in their Guide to Web Application Security : “If developers only validated their inputs to what they are expecting to be given, rather than attempting to filter for malicious inputs (if at all), then 80-90% of web application vulnerabilities would go away. SQL Injection — gone, XSS — gone, parameter tampering — gone.”
This is not so simple. M. Graff and K. van Wyk in “secure Coding: Principles and Practices (O’Reilly, 2003)” believe there are three sets of factors that work against secure coding. If we refer to web applications coding :
– Technical factors (the underlying complexity of the task itself) : tens of scripts, languages (PHP, ASP, PERL, Python, JavaScript, ActiveX, SQL, …), applications, libraries, are developed either in-house, inside open-source communities or by software vendors. This generates complexity and implies extensive knowledge and controls.
– Psychological and human factors (the “mental models”) : you only see the errors you know ! And error checking, testing are not the most ‘noble’ parts of programmers job ! Security holes often arise because user (or hacker !) unpredictable behavior was not taken into account. Or because, for instance, expected inputs were not specified enough ! 먹튀검증
– Real-world factors (economic and other social factors that work against security quality) : web programming is easier than assembler coding, writing a script or an HTML page does not require extensive experience and software engineer skills. Then come economic aspects : professional programmers are usually evaluated on how easily and fast they can write new software functionalities not on ability to secure code.
Unfortunately, from a software vendor’s perspective : launching a new product on time is more important than launching a secure(d) software !