20070223

Web Application Security Compared to Other Software

Link

Security Retentive had an interesting perspective on proper engineering in software as it pertains to the Engineer's Code of Ethics. Which reminded me of a post I've wanted to make for a long, long time.

I've probably written about a dozen lines of Forth in my life, so I don't know for sure that the issues don't exist. But with regards to writing code with excellence - academically "correct" code, what if people who wrote the following pieces of software did so with the same haste that many web applications are written with:

  • Device drivers
  • Flight Control Systems
  • Power systems
  • water/sewage systems
  • Defense systems
  • Voting Machines

Am I being naive to think that input validation, output filtering, and flow control are the real building blocks for really important systems? I mean, can you imagine if a nuclear power plant had the firmware equivalent of a cross-site scripting vulnerability?

I really wish even web developers would begin to see their job as a craft - a highly skilled position that needs care and thought, just like people who engineer drawbridges.

1 comment:

  1. From experience in the past when working at a compiler development company, I would regularly work with developers of things like Power Grid Apps using languages like FORTRAN and the like, applications where developed slower and more care was taken to ensure that the job was done.

    I migrated to IT Sec a long time ago and I've recently been able to test apps written by a new generation of developers born and bred on Java, C/C++ and newer languages for Power Grid systems and 'Critical' stuff like that. In the past, these important apps never broke, they where not net enabled they couldn't get compromised remotely, they where simple and they just worked and had little or no user input.

    Now because software developers are taught by colleges and universities to write bad code you can always find holes in these systems. It is a sign of the times, everyone wants everything to be enabled for whatever is the current buzz technology. Problem is no one really thinks does this thing really need to be.

    ReplyDelete