How to Cheat at Managing Information Security

Chapter 13: Application Security Flaws and Application Testing

Overview

The purpose of this chapter is to:

  • Show how application security flaws differ from network-level exposures

  • Provide a brief description of the common application security flaws

Anecdote

When I left consultancy, I was glad to do it. I was even happier when, six months later, a researcher showed me that by entering the classic SQL-injection command string into my former company s Web site, you could gain access to all manner of information. Sweet.

But application security is like that! Programmers think inside the box the what if I don t bother to visit the login page and go straight to the accounts page scenario seems to defeat so many of them and make the headlines again and again. And it is simply because they aren t trained. I recommend that every security manager run a short course on application hacking; you ll soon see an improvement.

Introduction

Many in the IT industry have generally ignored or misunderstood application security. The facts show that it has been with us since the first mainframe applications. In those days, in the late 1970s through to the late 1980s, we used 3270 locally attached terminals driven by operating systems that had a level of security that we would accept as good today. On these centralized and generally hardened beasts, network hacking or brute-forcing passwords, in the way hackers do today to gain access to a UNIX or Windows box, would simply not get a hacker in, so no one tried. In those days we hacked applications...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Security Software
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.