The days of access list, VPNs, IDS/IPS and Firewalls are gone. Dont get me wrong. Those are still great technologies to protect you assets but the world now moves towards another cycle. It goes to the place where it started. Thanks to Web 2.0 adoption. People collaborate using Internet for many things. Just like this blog. Web application deployment is marching much faster than the expectation and almost we are in the verge of IP Address depletion. Without Internet, the world may stop for a while (and every software engineer need to relearn problem solving and need to take an elective on how to work without search engines. Some will end up doing a PHD on this)
Web applications, a little door to a mighty businesses, now gaining attention from attackers. It is not only due to value of the asset or amount of profitability. It is very very simple to attack a web application. I have recently went through couple of books on Web Application security. Though I did not go through it in detail, the methods and tools are simple to use and you need to be a geek to do all the fancy stuff.
Oh God. Some of the web application security forums say "90% of web sites have vulnerabilities". It is true to a major extent. For the past two weeks, I have been trying to find a web site that is doing one thing, yes it is just one thing better. I am taking about Input Validation. If you need a single toolkit to safeguard you blog, orkut, bank account just try to find whether the input validation is done properly. It is the worst culprit than CSS, SQL Injection and authentication.
There are few great books on Software Security and I particularly enjoyed reading the book "Web Application Hacking Exposed". You may need to check amazon reviews before buying one and investing time. After reading the book, you find that the best way to defend against attackers is to write a solid code, to follow software engineering best practices, to do code review, to run static analysis, to do pen.test. Sometimes, you ll also feel like hacking your application to keep attackers under your toe.
Yes, it is your feeling, action and passion makes a better software and not the tools. Tools just help you to achieve your destiny fast.
Web applications, a little door to a mighty businesses, now gaining attention from attackers. It is not only due to value of the asset or amount of profitability. It is very very simple to attack a web application. I have recently went through couple of books on Web Application security. Though I did not go through it in detail, the methods and tools are simple to use and you need to be a geek to do all the fancy stuff.
Oh God. Some of the web application security forums say "90% of web sites have vulnerabilities". It is true to a major extent. For the past two weeks, I have been trying to find a web site that is doing one thing, yes it is just one thing better. I am taking about Input Validation. If you need a single toolkit to safeguard you blog, orkut, bank account just try to find whether the input validation is done properly. It is the worst culprit than CSS, SQL Injection and authentication.
There are few great books on Software Security and I particularly enjoyed reading the book "Web Application Hacking Exposed". You may need to check amazon reviews before buying one and investing time. After reading the book, you find that the best way to defend against attackers is to write a solid code, to follow software engineering best practices, to do code review, to run static analysis, to do pen.test. Sometimes, you ll also feel like hacking your application to keep attackers under your toe.
Yes, it is your feeling, action and passion makes a better software and not the tools. Tools just help you to achieve your destiny fast.
No comments:
Post a Comment