On Wed, 6 Feb 2013, Doug Davey wrote:
> Hey now, application developers are (supposed to be) very security
> conscience. And leave it to system guys to just look at the traffic.
Idealized reality and practical reality are often miles apart, and in this
case that's been my experience.
> One of the most common ways for security to fail on a website is false form
> submissions that include some sort of injection. Real application
> developers will sanitize data and vet any incoming data carefully. That
> said comprehensive audit software is kinda lacking for web applications,
> http://w3af.org/ is kinda close, and is a good place to start.
I think that there's the rub. "Real app devs" =~ 20% of actual devs? I've
known developers in corporate life -- certified professionals -- that I
wouldn't trust.
What's scarier is the number of devs who abrogate their responsibility
towards security by blindly using module X for some functionality without
taking the time to understand *how* it's performing said functionality.
They don't even know what the attack vectors are. Web devs are the worst
(in general, not implicating anyone here) because they plug crap together
with no real knowledge of what's happening at the network and application
protocol layers. Most don't know their stack, they just know the icing
they're layering on top.
--Arthur Corliss
Live Free or Die
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Wed Feb 6 14:40:04 2013
This archive was generated by hypermail 2.1.8 : Wed Feb 06 2013 - 14:40:04 AKST