Wednesday, October 04, 2006

Evolution of the Web Application Security World

Last week I attended a happy-hour party generously sponsored by iSEC Partners. About 40 showed up from all over silicon valley including Google, Seimens, IGN, eBay, Fortify, Adobe, etc. I met several thought provoking people, many said they knew of me and enjoyed studying my work. Cool! Conversation revolved mainly around web application security, since that’s what’s on everyone’s minds. We talked of new hacks, defense strategies, war stories, what the bad guys are up to, and of course plenty of vendor gossip. The amount of lucid webappsec discussion occurring in the physical world is, in a word, inspiring.

Then, just when I think I know something, someone says something that alters my view of the world. Two separate people said they learned about Cross-Site Scripting (XSS) in college! SQL Injection too. C’mon your joking right!? I guess this makes sense, but I was completely blown away. When at I first looked at institutions of higher learning it was lucky to find one class on infosec. Mostly about encryption, how firewalls worked, and the CIA model. Nothing webappsec related, let alone covering XSS. The underground had been playing around with what later became known as XSS since 1996. Not quite 30, I instantly felt like the old man of webappsec. Walking to school, up hill, both ways, in the snow. :)

For those who remember, the world was much different only a few years ago. Web application security was barely a term, in fact, most called it “CGI Security”. Remember? Back in the time of phf, IIS Unicode, and ../../etc/password exploits. When everyone thought firewalls and the tiny lock symbol would safeguard us. Network security gurus shunned the few of us who knew better and ignored arguments to the contrary. And besides how dangerous could a scripting language like JavaScript really be? HTTP monkeys weren’t taken seriously, but this didn’t stop us from walking in and out of just about any website we wanted. That part hasn’t changed much.

What has changed is a vast improvement of widely disseminated knowledge and awareness amongst the masses. Web application security is no longer a dark art only known to a select few insiders. Industry conferences take place all over the world and webappsec speeches are commonplace. (In fact I’m in route to Black Hat Japan as I write this post.) Practitioners seeking technical training have only to ask. Novices, with no more skill beyond they’re web browser, can easily master powerful tricks-of-the trade. Organizations truly desiring security for their websites have what they need to protect themselves. While the industry still has a lot of work ahead, I see real progress.

I'll take some pictures of Tokyo while I'm here and post later.

1 comment:

Ian said...

Perhaps I was just lucky to be at a University that taught practical computer security; through both undergraduate and graduate level courses we ran the gamut of security issues, from more classical security issues like buffer overflows to more contemporary issues like web application security. One of our major assignments was a full code review and security analysis of a PHP application that the university was about to implement and our final exam consisted of this, which was heavily based on web technologies.

I had thought that courses such as this were fairly commonplace in the nation’s universities, but I guess that’s not the case.