[LINK] Imposed unsecured websites [was: WP: The Pentagon is turned on by eWar

Rick Welykochy rick at praxis.com.au
Sat Apr 14 14:15:25 AEST 2012 

David Boxall wrote:

> I'd love to know the psychology behind insecure web site design. It's
> not as if good results can't be achieved without excessively
> compromising user security.

Dunno if you've written any web site code, David. It is a tortuous
process. And the interaction of so many different components in what
are becoming large burgeoning systems with many side effects can leave
the web coder's head spinning when they start thinking about security.

In days of old, we would code computer software line by line, keeping in
mind the possibility of the nastiness of a bug being introduced in
any line we wrote.

With network-based coding, one must include concerns about security
as well, with each line of code written.

Good results can be achieved without compromising user security AT ALL.
If one is an expert, very careful, very experienced and perseveres.

For further reading:
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

To quote from the 2010 Top 10 web risks:

   The OWASP Top 10 Web Application Security Risks for 2010 are:
     A1: Injection
     A2: Cross-Site Scripting (XSS)
     A3: Broken Authentication and Session Management
     A4: Insecure Direct Object References
     A5: Cross-Site Request Forgery (CSRF)
     A6: Security Misconfiguration
     A7: Insecure Cryptographic Storage
     A8: Failure to Restrict URL Access
     A9: Insufficient Transport Layer Protection
     A10: Unvalidated Redirects and Forwards

That's just the top 10. There are many more. And each must be in the back of
the coder's mind for each line of HTML, CSS, script, SQL, etc that is written.

IMHO, many inexperienced and/or naive coders are simply not up to the task. And
many would not even to be able to adequately describe all of the above, spot
an occurrence of each in existing code and fix them.

I myself find it rather tedious and exhausting to get a web job done 100% correct
and 100% secure. Almost impossible, really.

To perhaps address your question of the psychology behind this, it is far easier
to stick one's head in the sand and not worry terribly much about security
nasties on the Internet. And since we are an unvetted profession, who is going
to be the wiser, except the hapless user who is one day compromised, perhaps their
bank account emptied or their identity stolen.

cheers
rickw


p.s. If you follow the security notices for Adobe Flash and for the PHP web language,
you can observe how really difficult it is to get web security right. Even the supposed experts
writing these two backbones of the web are getting it wrong all the time. The number of
security upgrades for these two products continues unabated. (If I had my druthers, I ban
both of them to the eleventh level of hell and be done with them forever)

-- 
____________________________________
Rick Welykochy || Vitendo Consulting

Poverty is the worst form of violence.
      -- Mahatma Gandhi

More information about the Link mailing list