Comments on: The State of Web Security http://www.mikeandrews.com/2008/05/20/the-state-of-web-security/ Fri, 09 Apr 2010 12:01:55 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Mike http://www.mikeandrews.com/2008/05/20/the-state-of-web-security/comment-page-1/#comment-177 Mike Mon, 02 Jun 2008 00:20:08 +0000 http://www.mikeandrews.com/2008/05/20/the-state-of-web-security/#comment-177 Hi Armando. Looks like for some reason your followup link was cut off, so here it is. http://www.hackerscenter.com/index.php?/Blogs/2106-Security-am-I-phobic.html I must say that I agree with you - I've had many difficult a time in convincing companies the risk of a certain vulnerability - in fact only the other week I had to write quite a long email to a senior exec detailing the things that XSS can do, because they didn't believe that it could "damage their servers" or do anything all that malicious. I'm just thankful that they didnt just think all it could do was pop up an alert box! (and no, that's not being funny - I've seen people who think that all XSS is). I won't go into the rest of your post, because I think you have good points. However, I also think that vuln assessment just isn't going to cut it in the long run - there's just not enough people (or time) to actually do it - what we *have* to do is build software securely in the first place. I've detailed some of my though in the link below, but it pretty much (IMO) comes down to two things - make the technology such that it's difficult to do things in a non-secure way, and educate people. http://www.mikeandrews.com/2008/05/20/how-to-improve-the-web/ Anyway, thanks for the comment, link, and nice recommendation. Hi Armando. Looks like for some reason your followup link was cut off, so here it is.

http://www.hackerscenter.com/index.php?/Blogs/2106-Security-am-I-phobic.html

I must say that I agree with you – I’ve had many difficult a time in convincing companies the risk of a certain vulnerability – in fact only the other week I had to write quite a long email to a senior exec detailing the things that XSS can do, because they didn’t believe that it could “damage their servers” or do anything all that malicious. I’m just thankful that they didnt just think all it could do was pop up an alert box! (and no, that’s not being funny – I’ve seen people who think that all XSS is).

I won’t go into the rest of your post, because I think you have good points. However, I also think that vuln assessment just isn’t going to cut it in the long run – there’s just not enough people (or time) to actually do it – what we *have* to do is build software securely in the first place. I’ve detailed some of my though in the link below, but it pretty much (IMO) comes down to two things – make the technology such that it’s difficult to do things in a non-secure way, and educate people.

http://www.mikeandrews.com/2008/05/20/how-to-improve-the-web/

Anyway, thanks for the comment, link, and nice recommendation.

]]> By: Obama looking for security expert | Mike Andrews http://www.mikeandrews.com/2008/05/20/the-state-of-web-security/comment-page-1/#comment-176 Obama looking for security expert | Mike Andrews Mon, 02 Jun 2008 00:00:28 +0000 http://www.mikeandrews.com/2008/05/20/the-state-of-web-security/#comment-176 [...] off the heals of the XSS silliness between the Obama and Clinton camps, the my.barackobama.com site is looking for a network security [...] [...] off the heals of the XSS silliness between the Obama and Clinton camps, the my.barackobama.com site is looking for a network security [...]

]]> By: Armando Romeo http://www.mikeandrews.com/2008/05/20/the-state-of-web-security/comment-page-1/#comment-170 Armando Romeo Sun, 01 Jun 2008 08:23:57 +0000 http://www.mikeandrews.com/2008/05/20/the-state-of-web-security/#comment-170 This is one of the most "true" and sad posts I have read so far on the state of security now. The most sad part is that it seems that not much is changing from the vendors side for what concerns security awareness. Although response to security issues is getting better from my experience. Security shoud be installed on engineers mind since their early education into Universities. Not just with notions. A good course on security impact of their "academic" security-unaware code would be helpful for them and for us once they leave the school and enter the job field. Great post Mike, this is by far my favourite security blog. I've also followed up with it and added my considerations here: Security am I phobic?</a> This is one of the most “true” and sad posts I have read so far on the state of security now. The most sad part is that it seems that not much is changing from the vendors side for what concerns security awareness. Although response to security issues is getting better from my experience. Security shoud be installed on engineers mind since their early education into Universities. Not just with notions. A good course on security impact of their “academic” security-unaware code would be helpful for them and for us once they leave the school and enter the job field.
Great post Mike, this is by far my favourite security blog.
I’ve also followed up with it and added my considerations here:
Security am I phobic?

]]>