Web security News - 12/21/2006 The lack of security enabled frameworks is why we're vulnerable

News

Web Server Security

Phishing

Database Security

Application Server Security

Library

Vulnerability Archive

Secure Development

Web Services

Pen Test

AJAX

Application Firewalls

Main -> Internet Security News

TOPIC'S

Advertising

Old News

About

Resume

Contact

FAQ

Irc

Links

Books

Demos

Papers

Downloads

Advisories

Contributions

Security Services

Submit News

Syndicated News

Hosting generously provided by

www.mv.com

12/21/2006 The lack of security enabled frameworks is why we're vulnerable

We've been stating for years 'developers need to learn to code securely' sure this is great, however is essentially limited to skilled professionals. This isn't to say we shouldn't keep teaching however rather than simply focusing on those paying attention we should start babysitting the remaining majority.

So how do you watch what a developer is doing? One of the things that needs to happen is to build better libraries and frameworks (yes this statement sounds very marketechture but bear with me). Java stopped the overflow issues (minus specific VM issues), and Microsoft's .NET has followed in Java's tracks and done the same. Microsoft's .NET has also done one better and made development of vulnerable ASP.NET web applications harder. ASP.NET detects if html is being taken in a user modifiable input, and if this input is echoed checks to see if HTML has been injected. If it detects HTML Injection (usually an XSS attack) it prevents the application from behaving 'vulnerably' by halting it's execution, and displaying a warning message.

I always hear the argument 'people who write applications vulnerable to buffer overflows, sql injection or cross site scripting shouldn't be writing code!' and its a nice fantasy! New people are always learning to code, being put into situations to develop things maybe they shouldn't be and this isn't going to ever stop. The majority of skilled developers start out the same way and faulting them for 'learning the ropes' is just plain stupid. We need to start hand holding what developers are doing by preventing them (by default) from making common security mistakes. Just as important we need to provide overrides for those who 'know what their doing', because hindering application development isn't going to fly. As mentioned above Java and Microsoft's . NET Framework allow you to write unmanaged code if there's a need, however by default manages it to prevent those darn buffer overflows from 'magically appearing'.

Link to this Story: 12/21/2006 The lack of security enabled frameworks is why we're vulnerable
Link: Have a Site Suggestion, Material Request, or News? Submit it!
News RSS Feed: Web Security news RSS Feed