Re: Are bad developer libraries the problem with M$ software?

• Previous message: Michael Howard: "Security Education (was are bad developer libs....)"
• In reply to: Alex Lambert: "Re: Are bad developer libraries the problem with M$ software?"
• Next in thread: Michael Howard: "RE: Are bad developer libraries the problem with M$ software?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Mark Curphey <mark@curphey.com>
To: Alex Lambert <alambert@webmaster.com>
Date: 21 Nov 2002 20:06:33 -0800

Alex

The OWASP Guide to Building Secure Web Applications
(http://www.owasp.org/ ) has been downloaded over 500,000 times in the
last 3 months. It may not be exactly what you are angling at (its more
architecture and dev methodology focused than language specific guidance
today) but the statistics show people are keen to find out the issues.
Also worth noting from the enormous feedback we get, the readership are
rarely poeple on security lists (and they do read it). They are
mainstream developers. The reaction is always as you describe, one of
shock at having discovered an issue that is so large and so prevelant.

We have another project in the pipe that is building resueable APIs for
Java, C, Python and Perl that enables developers to easily call an input
filter. Early Java code is in the cvs and you can read the vision
document for that project at http://www.owasp.org/filters/

If you want to add language specific content to the OWASP Guide feel
free to contact me offline. Its on our plan.

Mark

On Mon, 2002-11-18 at 19:57, Alex Lambert wrote:
> > those weren't likely to happen. I do feel that much of the problem
> > lies in the earliest computer science courses at major universities -
> > they allow (and in some cases, reinforce) bad programming habits. It
> > wouldn't hurt if this were being taught at the earliest levels to
> > future programmers.
>
> I started a webappsec thread on an issue much the same
> (http://online.securityfocus.com/archive/107/290009/2002-08-29/2002-09-04/1)
> . I'm surprised it wasn't replicated here.
>
> I'll paste it here in case anyone wants to run with it (it's still a project
> I'd like to do and I'm not sure how many people on webappsec caught what I
> was getting at):
>
> --
>
> Sverre Huseby posted a very interesting and well-written dissertation on
> sessions to webappsec. Latching onto this, I'd like to propose something
> that's been bubbling around in my head for some time now. (If it's already
> been mentioned, flame away.)
>
> I think that most on the list would agree that, overall, most web apps are
> terribly insecure (XSS is pathetically prevalent). I consider myself a
> relatively security-conscious programmer, but I didn't even realize that my
> apps were vulnerable until I became curious and looked it up after seeing a
> large number of mesasges about it on Bugtraq. I didn't even know it existed;
> how could I have been expected to protect my apps from it?
>
> The last book I bought about a language was in my VB phase; I still haven't
> read the whole thing. Most of what I learn is gleaned from online tutorials,
> sample code, and the formal documentation. Until recently, I had no formal
> CS education. Although this might not be the norm in the US, I'm sure that
> my situation parallels others'. I can't afford (as a full-time HS student)
> to spend $40 on a thick PHP book. So I read what I can online.
>
> I don't recall ever hearing a word of caution about metacharacters, SQL
> statement injection, or XSS in my (beginner) sources. I was never told to
> escape data before feeding it to the database -- or, much less, escaping
> outgoing data. I took example code and tweaked it without much regard for
> security. I coded lamely because _I didn't know any better_.
>
> A reactive approach towards securing apps is running in place: new,
> oblivious coders will just keep producing more bug-riddled code.
>
> To reach new coders (our next "generation"), we must first fix our own
> mistakes: bug-riddled _pedagogies_ that teach bad habits.
>
> I can't say anything about the current state of books; I can be fairly
> certain, though, that few people are going to pick up a book or download a
> tutorial branded explicitly as a security text. I know I wouldn't. Why? A
> lack of knowledge, yes, but time constraints, too. If I need to learn a new
> language and code an app with it in a week, security will hardly even be an
> afterthought.
>
> How can this be rectified? Hook them from the start -- there is no reason
> that sample code should be insecure. Teach people to use print(escape($foo))
> instead of just print. Explain the dangers to them in the early stages: I
> thought XSS was trivial at first. Possibly even develop a library of
> decently-licensed snippets that can be easily massaged into any tutorial.
> This is in no way limited to web apps; the principles I've enumerated apply
> to any coding situation.
>
> We need to, as a community, fix this: it's ignorant to berate "clueless"
> programmers when they haven't been offered a clue.
>
> --
>
> apl
>
> ----- Original Message -----
> From: "Alec Kosky" <alec@motherone.com>
> To: "Steven M. Christey" <coley@linus.mitre.org>
> Cc: <secprog@securityfocus.com>
> Sent: Monday, November 18, 2002 3:33 PM
> Subject: Re: Are bad developer libraries the problem with M$ software?
>
> snip

-- 
Mark Curphey <mark@curphey.com>

• Next message: Crispin Cowan: "Re: Are bad developer libraries the problem with M$ software?"
• Previous message: Michael Howard: "Security Education (was are bad developer libs....)"
• In reply to: Alex Lambert: "Re: Are bad developer libraries the problem with M$ software?"
• Next in thread: Michael Howard: "RE: Are bad developer libraries the problem with M$ software?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]