By Dan Cornell

We had some great follow up and suggestions from folks after our previous post on “13 Things a Web Application Attacker Won’t Tell You”.  We though we’d repeat some here:

·         @vidluther: “Just because you’re using a frameworks doesn’t mean your application is secure”

·         @dcuthbert: “Bad guys don’t use a browser to attack your web application”

·         Aaron Lognion: “I love when your site let's me upload files under your web root somewhere”

·         Aaron Lognion: “I can intercept and steal just about anything you pass over http that is not SSL or otherwise encrypted”

Jeff Williams also sent a mention of his OWASP article on How to Write Insecure Code.

All great info!

I’d also propose:

·         “Security through obscurity … isn’t”

This is a humorous look at a serious issue.  Too many developers a) don’t have deep enough knowledge of how to develop software in a secure manner and b) incorrectly assume “it could never happen to me.”  It is a scary world out there, and that world runs on software.  The organizations developing that sofware need to step up and start doing it properly.

--Dan

dan _at_ denimgroup.com

@danielcornell