[nycphp-talk] talk Digest, Vol 40, Issue 20
David Krings
ramons at gmx.net
Thu Sep 14 15:47:14 EDT 2006
Hi!
You really forgot one thing on the list: developer laziness. I work with
quite a few developers who are all smart people and who know how to secure
input correctly. The problem is that adding the code takes extra time and
is annoying as it doesn't really do much. And besides that, in a
professional setting support is the one to pick up the pieces afterwards
(that would be me). Since I got burned once by unscreened input that was
piped straight into an SQL query I make extra effort to test for this (I do
software QA as well).
The private coder who wants to spice up the self hosted webpages with some
scripts is unexperienced and maybe negligent. What freaks me outis when I
can simply dismantle a page for a for profit business by entering "O'Neill"
into some text box.
Since my first few steps with SQL I am aware of the injection problem. I'm
still awfully uneducated on this crossite scripting problem. I know that it
exists, but I have no idea what to do about it....again, developer laziness.
David
At 10:38 AM 9/14/2006, you wrote:
>1. it is easy to ignore it and the app still works in your test
> environment.. and you didn't waste valuable time auditting!
> (tongue in cheek) "Despite your Herculean timetable, Mr.
> Client, the app is ready. Now I'm going to have to bill you
> extra hours to do a security audit and documentation."
> "umm.. no thanks, Mr. Developer. I don't have the budget for
> your bill padding".
>
>2. php is easy to use and popular; low adoption barriers.
> a. newbies haven't been burned yet or don't know best practices
> b. popularity brings the dark side for low hanging fruit
> c. terms like 'x-site scripting' and 'db injection' are
> confusing buzzwords to the newly introduced and (despite
> efforts) are not defined well enough; besides,
> buzzwords get ignored anyway.
> d. "eewww.. that can/will not happen to me"
>
>3. it isn't preached enough
More information about the talk
mailing list