Bad Solutions to Important Problems

The MSDN “Hackers” blog had a great post today about bad approaches to preventing Cross Site Scripting vulnerabilities.  When I am doing training classes for developers on software security I run into a lot of skepticism from time to time where developers don’t want to fix problems because they think they are already protected because of goofy home-grown protective measures they have in place.  I have my standard set of examples that I like to run through of how to defeat black-list input validation and so on and this post is a great, structured example of more of the same.  It does a great job of stepping through some ineffective protective measure and potential exploits that work around the so-called protection.

This reminds me of some of the discussion in “Secure Programming with Static Analysis” where Brian Chess and Jacob West discourage software security personnel from focusing on exploitability.  They are right – spending a bunch of time to demonstrate how to get around each flawed protection mechanism is a waste of time that could be spent fixing issues and actually implementing proper protection.

–Dan

dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *