We had some great follow up and suggestions from folks after our previous post on “13 Things a Web Application Attacker Won’t Tell You”. We though we’d repeat some here:
· @vidluther: “Just because you’re using a frameworks doesn’t mean your application is secure”
· @dcuthbert: “Bad guys don’t use a browser to attack your web application”
· Aaron Lognion: “I love when your site let’s me upload files under your web root somewhere”
· Aaron Lognion: “I can intercept and steal just about anything you pass over http that is not SSL or otherwise encrypted”
Jeff Williams also sent a mention of his OWASP article on How to Write Insecure Code.
All great info!
I’d also propose:
· “Security through obscurity … isn’t”
This is a humorous look at a serious issue. Too many developers a) don’t have deep enough knowledge of how to develop software in a secure manner and b) incorrectly assume “it could never happen to me.” It is a scary world out there, and that world runs on software. The organizations developing that sofware need to step up and start doing it properly.
–Dan
dan _at_ denimgroup.com
@danielcornell
One SQL injection vuln, and you might as well just give me a database prompt :)