Web Application Security - The end!

In the final part of our web application security piece, we examine how lazy coding makes web applications vulnerable.

IT manager and Web coder Zubin Henner, who hails from Byron Bay in Northern NSW, isn't a security specialist, but says he's familiar with security concepts. "Any user input has to be treated as though it's extremely dangerous," he says. "You narrow it (a Web application feature) down into only being able to do what it's intended to do and nothing else."

He admits it's easier said than done, but nevertheless a practice he adheres to religiously. As for business logic snafus like the Passport disaster, Henner says he's baffled. "I can't see how one would make such a mistake like that... Generally my approach to coding is to keep it as simple as possible," he says.

The approach of Henner and his ilk bodes well for the baseline standard of Web application security in the future, but sloppy coders will always find work as long as demand outstrips supply.

Security consultant Neal Wise, of Melbourne-based consultancy Assurance.com.au, says many Web application vulnerabilities are rooted in laziness, not a lack of expertise or information concerning secure development. "The more applications, the more people there are developing them, the greater the chance of issues," he says. "At the same time there's a lot of frameworks people do use... like OWASP and things like that to provide them some guidelines. But the reality is most people just click, click, click through like a graphical based development system and they don't necessarily think about the security context of things."

OWASP, or the Open Web Application Security Project, is an online hub for Web coders to get together and share information on secure coding techniques, as well as code that performs security functions, like preventing Cross Site Scripting and Cross Site Request Forgery attacks.

Until coders lift their game, the enterprise will have to maintain a budget for securing its Web applications. If they don't, the results could be disastrous, ala CardSystems.

Read more on Web application security