I was at a presentation of a local user group recently. I won't give more details than that to avoid embarassing the guilty parties. However, the presenter talked about an e-commerce application being developed for the web that he had spent a year developing, and was already in production. Some of the application involved doing a database query and showing the result on the web page. When I noticed no particular care being given to escaping HTML entities, I asked point blank "What considerations are you making to avoid cross-site scripting attacks?". His response made my jaw drop (after I stopped giggling): he went into detail about the security of the cookies being sent to the browser. All of which was cool, but was exactly the wrong place to look to avoid cross-site scripting attacks, where a user can place HTML displayed to another user, and thereby execute Javascript which steals cookies and therefore identities and everything that implies.

I'm shocked. Is this typical? Are people developing "web applications" without paying attention to Bugtraq and CERT notices, or even noticing that something they might be doing might be compromising their customer's security?

A few minutes later, I asked about cookie usage, wondering if the path of the cookie was being set properly, since he reported that sometimes you get "logged out" inconsistently. It took about six tries before he had a clue what I was asking.

And then he was talking about putting entire SQL queries into a cookie to provide paging access through the result set! As if by luck, he figured out that that "might be insecure", so instead he simply puts the parameters of the query into cookies!

Clues, people. Clues. These are all things that are basic security issues: the ignorance of which results in loss of revenue or privacy, possibly undetected.

And people wonder why I'm trying to sell my code review services. {grin}

As one person left the presentation, she commented quietly to me, "I like your brain." Which I'll presume to mean that I was asking the exactly right questions, and proved that this wasn't the guy that the rest of us should be learning from for strategy.

If you design for the web, remember that it's much better to have a non-functional secure site than a non-secure functional site.

-- Randal L. Schwartz, Perl hacker