Real world web security

Moral: implement security before something bad happens So here I am, starting a blog about web security on Blogger.com. I figured it made sense to check out the web site I'm blogging on… sort of the blogging equivalent of eating your own dog food . So I headed over to The Mozilla Foundation's Observatory service and typed in the domain www.blogger.com. The results were not good : OK, wait… isn't Blogger run by Google? Y'know, the world dominating web site run by yuppies sipping fancy coffee drinks? The site that's getting tougher about alerting people about insecure websites? I was a little surprised. An obvious question is who to believe. Blogger.com isn't some little home grown website. It's one of the biggest blogging platforms in the world and it's run by Google, one of the biggest websites in the world. Google has an excellent reputation for security. As I pointed out, they're getting aggressive about encouraging everyone to ...

Sometimes I joke that I know about web security because I'm Irish. Think that's silly? Consider what happened just last week... I needed some information from a government website. I went to their search page, typed in my name, and found myself in a familiar situation: I knew the signs right away, but just to be sure, I typed in a different name: Smith . The search worked just fine. Robinson : fine. Blahblahblah : no problem. Then I tried my name again: O'Sullivan . Sure enough: search error. So what's going on there? Why does my name trigger an error but the Smith's, Robinson's, and Blahblahblah's have no problem? I told you, it's because I'm Irish. OK… maybe I could be a little more specific. See, it's that apostrophe in my last name. Somebody wrote a database query for that website, and they did a lousy job of it. When that poorly written query hits an apostrophe it blows up, and those of us with Irish surnames like O...