Security Attitude

The place to kick back, relax, have a few cold ones, and grill a few on the BBQ

Security Attitude

Postby IKnowNot » Sat Mar 25, 2006 5:56 pm

I didn't know where to put this, it could fit as a discussion in so many areas.

I was trying to catch up on my reading today ( I'm way behind. )
Mind you, this after reading things like AO: SANS Infocon at Yellow - IE Exploit and [url=http://tazforum.thetazzone.com/viewtopic.php?t=844]IE Vulnerability
[/url].

Something caught my eye in the February 16 edition of Network Computing Magazine:

"AJAX Isn't Squeaky Clean "
( the title of the online article is a little different: Is AJAX a security risk? )

What really intrigued me was the last line,
Is AJAX a security risk? Probably. But let's not drag Web services through the mud just because AJAX is one of today's most commonly used SOA clients.


Does this chew at anyone else?

I mean not just the statement, but the underlying concept behind it. It is prevalent throughout the industry, has steered the development of the IT industry for the past decade, but isn't it time that people in general came to grasp that security is everyone's responsibility, and liability?

Am I off base here? Or doesn't anyone else see what I see?


Terms used in the article:
Ajax
SOA
If I ever find the damn avatar I made for this site I'll upload it.
IKnowNot
I COULD be out shopping
 
Posts: 74
Joined: Tue Mar 14, 2006 7:30 am

Postby Maverick » Sat Mar 25, 2006 6:45 pm

What are they trying to say? That web services might not be secure, but let's not get on to them about it because it's widely used? That's complete BS - you're right, security is everyone's (ESPECIALLY online service providers) responsibility, and at times, can be a liability... If I code a web app providing a service to my clients and customers, I have to be concerned with security - they are trusting me with their sensitive data, I can't just ignore that... At the same time, my clients need to realize that on their machines, they have to be just as concerned with security as I am on the server side... It goes both ways - that needs to be widely understood....
- Maverick
User avatar
Maverick
Top Gun
 
Posts: 6629
Joined: Mon Feb 13, 2006 12:55 am

Postby J_K9 » Sat Mar 25, 2006 7:42 pm

Maverick wrote:If I code a web app providing a service to my clients and customers, I have to be concerned with security - they are trusting me with their sensitive data, I can't just ignore that... At the same time, my clients need to realize that on their machines, they have to be just as concerned with security as I am on the server side... It goes both ways - that needs to be widely understood....

Add to that the possibility of your web app being exploited by a cracker, and him using your compromised system as a zombie in a DDoS attack, and not only is your and your clients' security at risk, but also everyone else on the internet.

I agree IKnowNot - but complacency and such widespread usage means that even if things like AJAX were avoided, not everyone would follow - to them, why do the security risks matter when AJAX can be used to create such powerful applications?

We can put this into another context. If IE has a vulnerability, why drag Windows through the mud? It gets to a stage where common habits are established, and once they are there whether a risk to security or not they are there to stay..

It's a pity the IT industry evolved this way. But, what can we do?

*sigh*
"Don't gain the world and lose your soul, wisdom is better than silver or gold." - Bob Marley

[CS:Source Admin]
User avatar
J_K9
THE Prancing Pirate
 
Posts: 8123
Joined: Fri Feb 24, 2006 10:47 pm

Postby rapier57 » Mon Mar 27, 2006 9:47 pm

What can we do? Vote with our pocketbooks.

Otherwise, when industry journalists make lame statements like that, call them on it. Throw it back at 'em! In large part, these are the people who should be taking the industry to task when it comes to security and good practices.

The author pretty much admitted that the whole deal was seriously flawed, but then said, "just ignore the man behind the curtain."

I quit reading NetworkComputing some time back because they were too afraid to bite the hand that feeds them--the advertisers. No integrity, no backbone.
Rapier57.

Jayne: Testing. Testing. Captain, can you hear me?
Mal: I'm standing right here.
Jayne: You're coming through good and loud.
Mal: 'Cause I'm standing right here.


@rapier57
User avatar
rapier57
I've posted HOW many
 
Posts: 3130
Joined: Thu Mar 02, 2006 10:43 pm
Location: Spokane, WA USA

Postby Maverick » Mon Mar 27, 2006 11:52 pm

rapier57 wrote:The author pretty much admitted that the whole deal was seriously flawed, but then said, "just ignore the man behind the curtain."



And that attitude is outright ridiculous...

IKnowNot, back to your original question - you're not at all off base, I'm with ya...
- Maverick
User avatar
Maverick
Top Gun
 
Posts: 6629
Joined: Mon Feb 13, 2006 12:55 am


Return to TAZ Bar & Grill

Who is online

Users browsing this forum: Majestic-12 [Bot] and 42 guests