Filed under: Uncategorized
We came across a business-focused article on Web security today at http://news.com.com/Solving+the+Web+security+challenge/2009-1002_3-6189437.html.
Here’s an excerpt that caught our attention:
Pete Boden, senior director for MSN and Windows Live security, echoes the views of many longtime executives. He argues that a lot of application security problems boil down to the same fundamental source: data input; that is, what people type into an application. Tightly control what can or can’t be entered–or “validate” in industry parlance–and you can eliminate the major access point for security breaches.
“If you classified Web vulnerabilities and took out all of those that are related in some form to input validation, I think you’d have a very small number of vulnerabilities left,” he said. “I contend that 80 percent of the vulnerabilities that we see are input validation errors.”
The Microsoft answer (better development tools) or the industry standard answer from the article (better industry cooperation, better-trained developers) are all well and good, but while we wait for those utopias to arrive, there is a rapidly-growing amount of vulnerable “Web 2.0” code getting deployed. This is where the upcoming ServerDefender Web app firewalls from Port80 Software will help — one of their key features is input sanitization to cover/help Web developers who should be focused on functionality (you guys have enough to worry about) — and to keep out the hackers looking for a way in at the same time…
A more general critique of the article (and of articles of this type) would be that the Web 2.0 talk seems pretty airy and uninformed. For example, there is no mention of security issues with popular Ajax libraries, issues that affect many sites in specific, but issues for which there are current solutions as well (see this 200 OK post).
Instead, we get a lot of business-analyst-speak about whether MS or Google or Yahoo will do the right thing.
Do we have time to wait for Web security to standardize from the top players down? Or should we fight the good fight now with the tools on market, and those to come soon like ServerDefender? What do you think?
More to come,