Study Shows Many Sites Still Failing Basic Security Measures 103
Orome1 writes with a summary of a large survey of web applications by Veracode. From the article: "Considered 'low hanging fruit' because of their prevalence in software applications, XSS and SQL Injection are two of the most frequently exploited vulnerabilities, often providing a gateway to customer data and intellectual property. When applying the new analysis criteria, Veracode reports eight out of 10 applications fail to meet acceptable levels of security, marking a significant decline from past reports. Specifically for web applications, the report showed a high concentration of XSS and SQL Injection vulnerabilities, with XSS present in 68 percent of all web applications and SQL Injection present in 32 percent of all web applications."
200 (Score:5, Insightful)
I wonder how they test. Some sites that I manage return the user to the homepage on a hack attempt or unrecoverable error resulting in a 200 return. Would they consider such a system as hacked, since they got a 200 OK return, or not.
what do you expect? (Score:4, Insightful)
This is capitalism/corporations. It's all about profit, and spending extra on IT cuts into the bottom line.
Economy is bad, so companies make cuts. Personnel, IT, Security, and everything but the CEO's bonuses get cut.
Uh huh (Score:5, Insightful)
Security auditing company produces report that conveniently shows that their services are desperately needed. News at eleven.
Re:Nothing new here (Score:5, Insightful)
Re:what do you expect? (Score:2, Insightful)
If I gave you enough time to do development right, the competition would beat us to market, drive us out of business, and you would be out of a job.
Don't think it is any different working for one of our competitors, they will overwork you just as hard for fear of US beating THEM to the market.
The market has shown a surprisingly high tolerance for bugs and security gaps, so we simply can't afford to proactively fix those.
And if you don't like my high bonus....go start your own company. After realizing just how hard and risky it all is, you will feel like you deserve a nice fat bonus too.
Re:Citicorp Hack (Score:4, Insightful)
Re:what do you expect? (Score:3, Insightful)
I am sure your point is a part of the problem, but in my (many years) of experience, this has a lot more to do with a myriad of factors, none of which really outweigh the other by much.
I am an independent developer who works on projects with security in mind from the ground up. Time/budget be damned, as it's my reputation on the line. If they can't pay for what it is worth, I tell them to find another developer.
They tend to learn the hard way — it was a better option to stick with a security minded developer in the first place. 85% of them return as customers.
The problem seems to be that most of the developers I have worked with, be it corporate employees, or indy's like myself, are one of two things, in general: (very general)
1. Lacking knowledge of how to deal with the most common security threats.
2. Lazy, and don't care enough to implement safeguards, etc.
Most of the other excuses boil down to one of the above.
That's my experience out there in the field, working with lots and lots of diverse companies. Of course profit and time to complete enter the picture, but over time, this can be overcome with a lot of experience and a lot of [code] libraries which can be easily implemented, no time lost.