Discussing Web security with even the nicest security professionals can leave one feeling chilled to the bone. It’s not the fault of the security people — it’s just chilling to be reminded how vulnerable the Web really is.
Recently, I spoke with Jeremiah Grossman of WhiteHat Security — a very nice guy with very bad news. Most of you have probably heard of the clickjacking threat by now. The vulnerability allows attackers to place an invisible “button” of sorts on Web pages. When placed over a legitimate button on a Web page, users can click as they normally do and have no idea that they’ve been attacked.
Grossman and Robert “RSnake” Hansen were scheduled to deliver a speech on the vulnerability at the OWASP (Open Web Application Security Project) application security conference in New York a couple of weeks ago. Ultimately, the two decided to postpone the details of their findings so that Adobe, which has applications vulnerable to the attack, could have time to secure their applications. “Theoretically, it’s not their bug,” said Grossman, but he respected Adobe’s wishes anyway.
Offsetting this disturbing news are positive developments in application security. The popularity of the OWASP conference itself, said Grossman, is an indication that things are moving in the right direction.
“Developers no longer see application security as ‘calling their baby ugly,'” he said. Three years ago, developers wouldn’t have been flocking to an OWASP conference, Grossman added. “[Developers] want to develop secure code; they just want to be shown how.”
And with all of these vulnerabilities plaguing the Web, application security has never been a hotter field to enter. The best security professionals often hail from the developer community, he explained. “They provide better insight into the business,” Grossman said.
“Not all of the problems have been described, not all of them have been solved,” he said. “Jump in now,” advised Grossman.