How to Cheat at Managing Information Security

The purpose of this chapter is to:
Show how application security flaws differ from network-level exposures
Provide a brief description of the common application security flaws
When I left consultancy, I was glad to do it. I was even happier when, six months later, a researcher showed me that by entering the classic SQL-injection command string into my former company s Web site, you could gain access to all manner of information. Sweet.
But application security is like that! Programmers think inside the box the what if I don t bother to visit the login page and go straight to the accounts page scenario seems to defeat so many of them and make the headlines again and again. And it is simply because they aren t trained. I recommend that every security manager run a short course on application hacking; you ll soon see an improvement.
Many in the IT industry have generally ignored or misunderstood application security. The facts show that it has been with us since the first mainframe applications. In those days, in the late 1970s through to the late 1980s, we used 3270 locally attached terminals driven by operating systems that had a level of security that we would accept as good today. On these centralized and generally hardened beasts, network hacking or brute-forcing passwords, in the way hackers do today to gain access to a UNIX or Windows box, would simply not get a hacker in, so no one tried. In those days we hacked applications...