Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Comment on

( #3333=superdoc: print w/ replies, xml ) Need Help??
The main reason for this kind of thing is simple: the people setting the priorities and development schedules at most web sites don't even know what security is. They think security is a checkmark on an application server feature list, not an ongoing struggle requiring diligence from all programmers.

In my experience, when it comes to QA there will be 50 bug reports about that broken spacer GIF you forgot to copy over to the web server but zero mention of things like session hijacking, cross-site scripting, etc. The only exception to this was when I worked at a site that had been attacked before, and people took it seriously enough to hire an outside security consultant for an audit when a new system went on-line.

The other problem, of course, is programmers who don't know or don't care about security. There are lots of people employed building web sites who have a very rudimentary knowledge of what they're doing, and this is true on any of the popular development platforms. I often talk to Java programmers who don't actually understand the HTTP model or even the basics of how forms work. They've been working with toolkits that abstract it all for them.

Ultimately, I suspect most companies will not be secure until after they have been attacked. The majority of web sites out there are ripe for exploits to anyone who actually cares to break them. Of course a single PC on a good link could take down about 99% of them just by running http_load on the right URL...


In reply to Managers can't see security by perrin
in thread Web Security by merlyn

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • Outside of code tags, you may need to use entities for some characters:
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others rifling through the Monastery: (4)
    As of 2014-09-22 03:53 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      How do you remember the number of days in each month?











      Results (178 votes), past polls