Thursday, June 18, 2009

Isn't that Impossible?

Not every organization and their people know about software security issues nor do they respect the same.

In most of my workshops conducted with developers for secure coding, I often hear the proclamation, "Isn't that Impossible..." and then the drama starts...

Many developers do not understand how the web works
• “Users can’t change the value of a drop down”
• “That option is greyed out”
• “We don’t even link to that page”

Many developers doubts attacker motivation
• “You are using specialized tools; our users don’t use those”
• “Why would anyone put a string that long into that field?”
• “It’s just an internal application” (in an enterprise with 80k employees and a flat network)
• “This application has a small user community; we know who is authenticated to it” (huh?)
• “You have been doing this a long time, nobody else would be able to find that in a reasonable time frame!”

Many developers do not understand the difference between network and application security
• “That application is behind 3 firewalls!”
• “We’re using SSL”
• “That system isn’t even exposed to the outside”

Many developers do not understand a vulnerability class
• “That’s just an error message” (usually related to SQL Injection)
• “You can’t even fit a valid SQL statement in 10 characters”

Many developers cite incorrect or inadequate architectural mitigations
• “You can’t execute code from the stack, it is read-only on all Intel processors”
• “Our WAF protects against XSS attacks” (well, clearly it didn’t protect against the one I’m showing you)
Developer cites questionable tradeoffs
• “Calculating a hash value will be far too expensive” (meanwhile, they’re issuing dozens of Ajax requests every time a user click a link)

There would be dozens more. The point that is developer education for security is one of the largest gaps in most SDLCs. How can you expect your developers to write secure code when you don’t teach them this stuff? You can only treat the symptoms for so long; eventually you have to attack the root cause.


  1. Richard BejtlikJune 19, 2009 9:49 AM

    Just amazing to read this post...I can imagine the reactions from developers who are unaware of security issues ...they would definitely give this talk...

    Cheers Dharmesh !

  2. Agree with u Dharmesh.....
    Nice article...

  3. The easiest way is to Show them...Download the Firefox + Install few plugin + And show them how to Change Cookie ? How to do XSS (Basic) etc. Till someone has not seen demo, how he/she can hack it, it is very tough to make him/her security aware !

  4. HI there you have a nice blog,I have a blog too of same catagory,So lets have a link exchange i put your blog in my favorite links or blogroll and you put mine,here is my blog,,If intrested
    IN this way we both will obtain higher page ranks

  5. You have captured the heart of the matter.