Bug Watch: Developers at fault
In my line of work it is inevitable, but always shocking, to see the number of high-risk security flaws developers have left behind. Most worryingly, a major proportion of vulnerabilities are due to a basic misunderstanding of the internet protocol and system software used to host or use the web application.
Many developers fail to understand the nuances of the HTTP protocol and assume that it is too difficult, or not worth the trouble, for an attacker to assault their custom application. Developers must assume that every packet of data not coming from the organisation's hosts and servers can be modified.
Infrequently, 'security aware' sites manage to correctly implement input validation rules for client data. Unfortunately, all client-side checking and data validation processes can be bypassed by an attacker using commonly available tools and methodologies.
[ Read more ]