5 More Things a Web Application Attacker Won’t Tell You

We had some great follow up and suggestions from folks after our previous post on “13 Things a Web Application Attacker Won’t Tell You”.  We though we’d repeat some here:

·         @vidluther: “Just because you’re using a frameworks doesn’t mean your application is secure”

·         @dcuthbert: “Bad guys don’t use a browser to attack your web application”

·         Aaron Lognion: “I love when your site let’s me upload files under your web root somewhere”

·         Aaron Lognion: “I can intercept and steal just about anything you pass over http that is not SSL or otherwise encrypted”

Jeff Williams also sent a mention of his OWASP article on How to Write Insecure Code.

All great info!

I’d also propose:

·         “Security through obscurity … isn’t”

This is a humorous look at a serious issue.  Too many developers a) don’t have deep enough knowledge of how to develop software in a secure manner and b) incorrectly assume “it could never happen to me.”  It is a scary world out there, and that world runs on software.  The organizations developing that sofware need to step up and start doing it properly.


dan _at_ denimgroup.com


Posted via email from denimgroup’s posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

One Response to “5 More Things a Web Application Attacker Won’t Tell You”

  1. Manicode

    One SQL injection vuln, and you might as well just give me a database prompt :)

Leave a Reply

Your email address will not be published. Required fields are marked *