Quick times for web app security

Date June 7, 2008

Through my RSS reader I discovered the above named article the other day, so took a quick look.  In some ways I wish I hadn’t, and I hope that not many other people did either. 

The first few tips are pure “security by obscurity”, and you should never “sanitize” user inputs - either they passes validation or is doesn’t.  Trying to clean up any data, like removing JavaScript, leads to being vulnerable for tricks like <scr<script>ipt>, where the app is looking for “<script>” and removing it.  It’s only until we get to tips 6, 7 and 8 that they start to actually provide value.

Although the article isn’t all that “bad”, the tips just smacked of someone who had just sat through the beginnings of some webapp security class (like UWH), and just misunderstood the structure and the risks of each of the ideas presented. 

Any class has to start off somewhere to introduce the rest of the material, and these “quick tips”, seem mostly pulled from the start of such a class - the “discovery” or “configuration” phases of a methodology if you will, instead of the “authorization” or “data validation” phases where the real risks often arise from. If anyone were to pick up these quick tips, and base their security upon them, they would vulnerable to some of the biggest mistakes out there.  What the author in the article says isn’t wrong per se, (redeems it all somewhat at the end) but just to focus on these tips when there are better “summary” documents like OWASP’s Top 10 (which aren’t perfect, but more accurately reflect the risks) is just security suicide.

Category Posted in Industry, Misc, Security


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>