Why are SQL injections or XSS (cross-site scripting) errors still the biggest problem in application security, particularly web application security? What tests or processes can we use to reduce this problem?
You can see my full answer online where I talk about taking a multi-pronged approach to addressing these issues (sorry – registration required). For those looking for a quick preview, I talk about:
- Knowing you application attack surface (you can’t defend what you don’t know about)
- Training developers to build applications that aren’t susceptible to common attacks
- Verifying that training was effective by implementing a testing program
It is certainly possible to build applications that don’t contain these errors, but few organizations have been successful implementing a comprehensive approach for dealing with these issues. However, by understanding the scope of the problem and the steps required to get it under control, organizations can make significant progress.
dan _at_ denimgroup.com