Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Managers can't see security

by perrin (Chancellor)
on Jun 22, 2002 at 19:34 UTC ( [id://176513]=note: print w/replies, xml ) Need Help??


in reply to Web Security

The main reason for this kind of thing is simple: the people setting the priorities and development schedules at most web sites don't even know what security is. They think security is a checkmark on an application server feature list, not an ongoing struggle requiring diligence from all programmers.

In my experience, when it comes to QA there will be 50 bug reports about that broken spacer GIF you forgot to copy over to the web server but zero mention of things like session hijacking, cross-site scripting, etc. The only exception to this was when I worked at a site that had been attacked before, and people took it seriously enough to hire an outside security consultant for an audit when a new system went on-line.

The other problem, of course, is programmers who don't know or don't care about security. There are lots of people employed building web sites who have a very rudimentary knowledge of what they're doing, and this is true on any of the popular development platforms. I often talk to Java programmers who don't actually understand the HTTP model or even the basics of how forms work. They've been working with toolkits that abstract it all for them.

Ultimately, I suspect most companies will not be secure until after they have been attacked. The majority of web sites out there are ripe for exploits to anyone who actually cares to break them. Of course a single PC on a good link could take down about 99% of them just by running http_load on the right URL...

Replies are listed 'Best First'.
Re: Managers can't see security
by iza (Monk) on Jun 24, 2002 at 08:50 UTC
    The main reason for this kind of thing is simple: the people setting the priorities and development schedules at most web sites don't even know what security is.
    guess what ? i've been asked to remove all those "useless security checking stuff" because it was slowing the site down !! i couldn't believe it, but i had to remove everything !! talk about incompetent managers ....

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://176513]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (8)
As of 2024-03-28 11:12 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found