An Irishman's view of web security

-

Sometimes I joke that I know about web security because I'm Irish. Think that's silly? Consider what happened just last week...

I needed some information from a government website. I went to their search page, typed in my name, and found myself in a familiar situation:

I knew the signs right away, but just to be sure, I typed in a different name: Smith. The search worked just fine. Robinson: fine. Blahblahblah: no problem. Then I tried my name again: O'Sullivan. Sure enough: search error.

So what's going on there? Why does my name trigger an error but the Smith's, Robinson's, and Blahblahblah's have no problem? I told you, it's because I'm Irish.

OK… maybe I could be a little more specific.

See, it's that apostrophe in my last name. Somebody wrote a database query for that website, and they did a lousy job of it. When that poorly written query hits an apostrophe it blows up, and those of us with Irish surnames like O'Sullivan, O'Malley, and O'Shaughnessy get an error.

Very sloppy. But it gets worse. That site is wide open to get hacked.

The mistake in that query opens them to a hack called SQL Injection. Does that term sound too technical? OK, try this: The Oldest Trick in the Book. That's right, that government website doesn't have some obscure problem that only super geeks would understand. They have a problem that's been around for twenty years. It has been documented endlessly. There are simple tools for guarding against it. It is not a difficult problem to fix.

And yet, after all this time, it's still the most common way that websites get hacked. OWASP lists it as the #1 security flaw on the web (PDF link). News story after news story describe sites that get hacked because of this failure.

Why aren't web sites getting it? Why is the oldest trick in the book ignored, and so many sites get hacked because of this well known security flaw?

In this blog I'll look at that very issue. Security starts by taking it seriously. I'll look at why organizations like that government website continue to disregard simple security practices. Later, I'll talk about simple, but often disregarded, security techniques that developers can use to secure their sites.

In 1946 when my grand dad applied for US citizenship, that O-apostrophe in his last named triggered some paperwork problems. To fix it he took an easy solution: even though his wife and kids were already named O'Sullivan, he dropped the O-apostrophe and changed his name to just Sullivan.

I, however, don't want to change my name. I want the web to be more secure. Maybe this blog can help a little in that effort.

Comments

Post a Comment

Popular posts from this blog

Blogger.com gets a "D" and yes, that's a problem

-
Image
Moral: implement security before something bad happens So here I am, starting a blog about web security on Blogger.com. I figured it made sense to check out the web site I'm blogging on… sort of the blogging equivalent of eating your own dog food . So I headed over to The Mozilla Foundation's Observatory service and typed in the domain www.blogger.com. The results were not good : OK, wait… isn't Blogger run by Google? Y'know, the world dominating web site run by yuppies sipping fancy coffee drinks? The site that's getting tougher about alerting people about insecure websites? I was a little surprised. An obvious question is who to believe. Blogger.com isn't some little home grown website. It's one of the biggest blogging platforms in the world and it's run by Google, one of the biggest websites in the world. Google has an excellent reputation for security. As I pointed out, they're getting aggressive about encouraging everyone to ...
Read more