|The stupid question is the question not asked|
Re: web site design, or lack thereofby cjf (Parson)
|on Apr 07, 2002 at 23:59 UTC||Need Help??|
His response made my jaw drop (after I stopped giggling)
As funny as ignorance is, I'm more interested in the solution you gave him. If you could post the example code you showed him or a link to the resource you pointed him to I'm sure we'd all be able to learn from it.
Are people developing "web applications" without paying attention to Bugtraq and CERT notices
In most cases they probably are, but that's a very small part of the problem. Aside from an occasional PHP vulnerability or the like, CERT and Bugtraq don't really apply that much to people who are in charge of only developing small web apps. Good programing practices that lead to more secure code are more important than reading every post to Bugtraq in these cases. Of course it's an entirely different story if they're paying you to set up their servers or do a security audit.
If you design for the web, remember that it's much better to have a non-functional secure site than a non-secure functional site.
Security is not an all or nothing issue. It is often necessary to reduce security in favour of usability (if you disagree, consider how you got to this site :). However, the example you give introduces vulnerabilities needlessly but this is still important to keep in mind.
And finally, to add a bit more educational value to this thread, here are few relevant links: