Not too long ago, Twitter was hit with what would become known as the “Mikeyy” worm, a malicious little bit of code that exposed holes in Twitter security. Those holes have been patched, and life goes on at Twitter, but it has inspired some important discussion about web security.
As a very well written article at ReadWriteWeb.com points out, there are two different ways to address security when designing a web application: Input Filtering and Output Escaping. While a discussion of the pros and cons of the two schemes in definite worth having, that’s not where I want to go. I want to focus on the base of the issue, and that is security as a habit.
I recently was given the task of developing a web application for tracking discounts given to customers by the sales staff where I work. This application was to be simple for the sales staff to use, collect specific information, and load it into a database. We have a Windows 2003 Server that is available for me to use as an application platform, and I’ve got MySQL installed on it.
I was given about a day and a half to get something working. That’s a pretty compressed timeframe by almost anybody’s standards. So I put on my headphones and got to work.
Security was the least of my concerns. I was interested only in getting something functional, from my boss’s standpoint, and roughly stable. Needless to say I cut corners. I now have a load of work to go back and do, because validation is non-existent, and I did absolutely no output escaping.
The moral of my story is this: making security a habit instead of an afterthought would probably have saved me what will most likely become days of work. Throwing a project together with no concept of security automatically breeds an insecure system. More than that, however, it creates a situation where you’re chasing security holes, possible for years, instead of standing sure that you are secure from the beginning.
So all you web developers out there, heed my warning. No matter what security scheme you decide to live by, make sure that you are consistent in your approach. Do it all the time, every time, and you’ll be running some of the most secure code on the Internet.
No comments:
Post a Comment