Web Applications more secure these days? Not from where we stand!

March 5th, 2007 Drazen Drazic Posted in Applications, Bad Developers, Vulnerability Management, Web Application Security |

The recent figures posted by Accunetix (see previous post) were an eye opener to many – including long term IT industry guys…….and that is a concern.

The simple facts are that most people do underestimate the problems out there on websites and are comfortable in believing that many in the IT Security business are being alarmist, far more than they should be, and doing no more than trying to keep themselves in business.

The truth is that bad things are happening out there and just because people don’t hear about it, doesn’t mean it isn’t happening. We know, because we see it everyday.

Are web developers getting smarter in regards to secure coding? Based upon our experience, I’d say they’re not. Most haven’t heard of OWASP, have never been taught secure coding practices / skills and rarely work in an environment where security plays a role in the SDLC.

I’m not just talking about internal developers - you can lump in third-party hired guns into that category. It never ceases to amaze me when we review new sites developed for organisations by so-called experts.

A good friend is the CEO of a manufacturing business - offices in Australia, Asia and the UK. While they’ve had a basic web presence and e-business capability for a while, they recently paid for the development of a new B2B and B2C site. Good dollars exchanged hands. Now CEO is no IT guru but when dealing with a supposedly reputable development shop, he does expect a quality product for his dollars. As a favour, we offer to test the site for him. Now where do we start?

- Information leakage throughout
- Access for anyone on the net who wants to track who’s buying and how much from his company
- User-friendly access to admin screens to test password guessing capabilities
- Convenient site back up including all application source code zipped up in preparation for anyone to download
- Detailed error reporting to support our “tests”
- A nice photo of a baby in a bath with its mother (we guess it could be one the developer’s new born baby) - though you’d have to know where to look on the site to find it.
- etc etc etc ….. it goes on and on……and we’ve barely gotten into any real testing as yet.

An exception? No!

If anything, the Accunetix figures could be pumped up another 20% and I reckon you’d be closer to the mark.

DD

One Response to “Web Applications more secure these days? Not from where we stand!”

  1. Beast Or Buddha » Blog Archive » The Bad Web Developer Fighting Back….. Says:
    August 3rd, 2007 at 10:26 pm

    [...] Web Applications more secure these days? Not from where we stand! [...]

Leave a Reply