Software Quality Insights

Oct 3 2008   2:51PM GMT

Web application security more important than ever

Jake Sorofman Profile: Jsorofman


Discussing Web security with even the nicest security professionals can leave one feeling chilled to the bone. It’s not the fault of the security people — it’s just chilling to be reminded how vulnerable the Web really is.

Jeremiah Grossman

Recently, I spoke with Jeremiah Grossman of WhiteHat Security — a very nice guy with very bad news. Most of you have probably heard of the clickjacking threat by now. The vulnerability allows attackers to place an invisible “button” of sorts on Web pages. When placed over a legitimate button on a Web page, users can click as they normally do and have no idea that they’ve been attacked.

Grossman and Robert “RSnake” Hansen were scheduled to deliver a speech on the vulnerability at the OWASP (Open Web Application Security Project) application security conference in New York a couple of weeks ago. Ultimately, the two decided to postpone the details of their findings so that Adobe, which has applications vulnerable to the attack, could have time to secure their applications. “Theoretically, it’s not their bug,” said Grossman, but he respected Adobe’s wishes anyway.

Offsetting this disturbing news are positive developments in application security. The popularity of the OWASP conference itself, said Grossman, is an indication that things are moving in the right direction.

“Developers no longer see application security as ‘calling their baby ugly,'” he said. Three years ago, developers wouldn’t have been flocking to an OWASP conference, Grossman added. “[Developers] want to develop secure code; they just want to be shown how.”

And with all of these vulnerabilities plaguing the Web, application security has never been a hotter field to enter. The best security professionals often hail from the developer community, he explained. “They provide better insight into the business,” Grossman said.

“Not all of the problems have been described, not all of them have been solved,” he said. “Jump in now,” advised Grossman.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: