The other day I got a recommendation of a work collegue to watch a movie about security of web apps. Two days ago i watched it and was surprised about it because i’ve realized that there are a lot of vulnerbilities out there which we should really care about. You know not care in a way of being paranoid of securing your apps now but just to be aware of them.Before i write some bits more about it here is the link:
Movie: How to break web software
(Mike Andrews talking about security in web apps)
The following list briefly summarizes the key topics of the movie which i found really interesting:
- Comparison of “hacking” real apps and web apps. This guy makes us aware that nowadays its not necessary to know how e.g. a buffer overflow works and how to use this flaw. These days its much easier and the bad news is that it’s possible on a lot of sites out there. Cross Site Scripting (XSS), changing forms, …
- In the era of the internet there is a bunch of programmers and applications where security is being completely unconsidered. Luckily a lot of common surfers out there dont really eploit this but what will happen when they know how to do this? because its so easy!!
- Mike outlines that its not just important to validate the input but its also important to validate the output. I think he is completely right because if all output will be validated and not trusted at all then the risk of XSS should be minimized to nearly zero. He mentions that there is no point of trusting the data in your own database. I thought about that and came to the conclusion that it makes sense to somehow misstrust your data because you never know how the hell the data landed there. Its not a real mission to encode the date before the output.
- An interesting statement is that it seems that the education does not really care about security in web development. Learning how to set up a website, how to hack some javascript, program a shopping cart, guestbook, read RSS, etc. is being educted really well over the past years but I’ve never heard something about security. I am curious about you but i never did heard about that and i did a couple of courses. Even on my university they do not mention anything and if they do then its just mentioned by the eye.
The movie lasts about 1h 20min and is a must see for every web dev out there independant which technology/language he/she uses. Companies with their own web dev department should show this movie during the work time to all their devs. Hook up your projector, get some coffee, watch it and discuss it. Just to ensure that they have heard about the basics and are aware of it. Have fun and check back.