Contrarisk Security Podcast #0034: Web application vulnerabilities

» Listen or download now on the podcasts page »

Sasha Zivojinovic, Context Information Security

Sasha Zivojinovic, Context Information Security

When it comes to web applications, Sasha Zivojinovic of Context Information Security believes we may have too much of a good thing. Web application frameworks (WAFs) have matured, providing a fast way to develop and deploy sophisticated sites. It’s hard to imagine life without them.

WAFs relieve developers of much of the grunt work, including security features such as user authentication. But have developers become too dependent? While platforms such as WordPress and Joomla have suffered high-profile issues with vulnerabilities, are too many people ignoring this and just assuming that the WAF takes care of security for you?

Certainly, WAFs have got better on the security front. But while the number of bugs has come down, the ones that remain are now harder to find.

A key problem is developers not understanding how user-provided data is going to be used. It may have been sanitised and checked by filter functions in the application framework, but that doesn’t mean it’s safe to use in all contexts, says Zivojinovic.

Applications can be too complex to test as a whole, and components tested in isolation can miss the corner cases, the vulnerabilities that arise from the interaction of various parts of the solution.

Given that developers use these frameworks to save time and money, there’s not much incentive to audit or fully examine these tools. And when weak spots are discovered ,they can be devastating because so many sites are using that framework and are therefore vulnerable. And finding vulnerable sites can be as simple as carrying out a Google search.

There’s no magic bullet solution to this, says Zivojinovic. The key is to educate developers about where the problems can arise.

» Listen or download now on the podcasts page »

Leave a Reply

Your email address will not be published. Required fields are marked *