Crackers and correlations

[Dave Hull]

Quoting "Monty J. Harder" <lists at kc.rr.com>:

> "Dave Hull" <dphull at insipid.com> wrote:
>
[snip]
> > you should check the user input and make sure it's sane, that it fits your
> > application.
[snip]
>   That's not just 'secure' programming, but 'sane' programming.  It is a
> maxim of the military that "No plan survives contact with the enemy."  As a
> technical support veteran, I have formulated the analogous "No software
> survives contact with the user".

I agree. I was shocked when I listened to a former colleague of mine whine about
users not inputing their phone number correctly on a web interface he had
created. "I even put instructions right next to the fields explaining that they
shouldn't input dashes or spaces or parentheses..." he said.

After he cooled down, I told him that he should never expect his users to read
and/or follow directions. Don't trust, but verify. He'd never thought it
through before, but I saw the scales fall away from his eyes.

Scary thing is, he had previously been writing code for a rather large new media
company, building web sites with user interfaces.

Another web application I worked with recently was vulnerable to SQL injection
resulting in theft of service. I told the primary developer about and he claimed
that was only the case on the test server, I asked him if I could try it on the
production system. With him watching over my shoulder I went through the exact
same process and he couldn't believe it. He'd heard of SQL injection, but
hadn't ever read anything about it.

As I dug deeper in their configuration, I determined that it was possible for an
attacker to completely wipe out the database. It's amazing what you'll find in
the wild.

--
Dave Hull
http://insipid.com