Why applications have security bugs


It was this comment to the posting that caught my attention:

Some of us idiots used to think that any devs who weren’t aware of buffer overflow before the Morris worm would be aware of it after the Morris worm. But in fact, your posting almost points out why many devs remain blissfully unaware:

“we developers were trained to focus on and typically only ever focused
on how legitimate users will use the product”

Close. Developers who want to have good jobs have to get trained to focus on how their managers pretend the product will be used. Anyone who thinks as far out as actual end users will get canned for not being
a team member. Anyone who thinks even further out about actual end misusers will be sued for being a hacker. But yeah, you explained it.
Thank you.

Long time readers will know that the Morris worm is my poster-boy for complaining that modern schools don’t teach defensive programming.

It seems I’m not alone.

Reblog this post [with Zemanta]

OWASP Top Ten is really the OWASP Top 6.5

Announcement of changes in company password po...
Image via Wikipedia


This is somewhat dated, but so what? Most of the points raised still hold valid.
It opens:

CIO/CSO: “I just went to a very important luncheon meeting. First, they bought me steak, then they showed me powerpoint about this new security list, then we got to watch STAR WARS! I want our websites to be OWASP Top Ten certified by then end of the week!”

… and it goes on with the sad-but-true

Consultant: “Hello, I just completed CISSP boot camp. I am here to run OWASP Top Ten security scanning software and install a web application firewall! Cookies?
Sorry, I’m diabetic.”

Wasn’t there a Dilbert strip about that?   “Invoking the awesome power of certification“?

Speaking of which:

Dilbert “Maybe we should first start with password protecting the website? Or fixing our expired SSL certificate?”

How true; how poignant! And we all know the response to that:

Consultant: “I’m sorry that is not on the list! hmm what to do? I will use the consultants Top Ten Scarry Word List!” Sarbanes-Oxley, HIPAA, PCI…”

Seriously, though: a while ago I read an article suggesting that how you title you posts or blogs was very important and used examples from magazines such as Cosmopolitan to illustrate that: “The top 10 ways …”, “10 things you should know” and such like were going to attract more readers.

Well heck, who wants to read an article titled:

“Six and a half ways to secure your web site”.

Maybe those into reverse psychology perhaps?
But please, do fix those expired SSL certificates.

Reblog this post [with Zemanta]

Hysteria over swine flu is the real danger


And in world terms how does this compare to nuclear tests in North Korea?
Continue reading Hysteria over swine flu is the real danger