news.com.com— Security has become a no-brainer for desktop software, but the same doesn't hold true for the booming world of Web applications.
Jul 28, 2006View in Crawl 4
As a web programmer, this is definately an issue. One of the easiest attacks to guard against is sql injection, but not many web-sites out there do because not many programmers know that it is something they will have to program against instead of pushing the responsiblity to the Database Administrator. Things like this are often overlooked in a crunch for time or another new feature. Sql injection isn't a problem in C#, but it is in VB.NET, so why is everyone using VB.NET? Sometimes choosing the right tool is the key.
"but I'll tell ya... my company would never use online apps to run their business."Do you dig up earthworms to sell to fishermen down at the docks or something?
"but I'll tell ya... my company would never use online apps to run their business."If you bank at Wells Fargo, take a look at the teller's screen next time you're in the bank. That's right, you just saw IE accessing an internal web-app.Part of the problem is that people such as yourself don't see the browser for what it really is: a generic client application. You're no more safer with a client-server desktop application than you are with a client-server web application.Yeah, there was a worm that hit Yahoo! Mail. But do you have any clue how many worms have taken advantage of Outlook in the past?An insecure application is an insecure application, wether it's it's a web app or a desktop app. If you've got programmers who know what they're doing, it doesn't matter wether what they're developing; it's going to be secure.The only difference is it's easier for an idiot to build a web app than a desktop app.
Yes, "Web 2.0" is defined as, "a useless, abstract reference that the tech media uses that for the time being, seems to create a pavlovian-like response from users signifying some equally abstract and ambiguous substance."<a class="user" href="http://BSAlert.com/">http://BSAlert.com/</a>
Ack! The analogies were horrendous! Let me put just one example into layman's terms:1) Traditional web applications submit basic client-entered data to the server. All the work is done on the server, so it tends to be easier to secure an application in the traditional sense. (This doesn't make an app invulnerable, it just somewhat alleviates the issues below.)2) "Web 2.0" a.k.a. AJAX/GWT/Atlas/etc applications do a whole bunch of work on the client before they submit to the server.3) Users really like it if you warn them of a mistake immediately, versus waiting for a return from the server. (E.g. "That isn't a valid username" or worse, "That isn't a valid password.") Developers like to make customers happy, so they work towards giving immediate responses when they can.4) Give someone enough rope and they will hang themselves. "Web 2.0" (oh how I loathe that catchphrase) gives a large amount of rope. With AJAX/GWT/etc you have to validate everything twice. If you only validate on the client, people can easily forge requests that bypass all of your checks. If you only validate on the server, then you haven't bought yourself anything by using any of these nifty tools.I'm all for these new nifty web tools. I'm spending all my free time learning them as I see they are going to be the future of web development. I also see a horrendous amount of hacked sites coming up because people will forget to double-validate every piece of information they receive on the server side.
@delinkaNote that MySQL does not allow stacking of queries so the ;DELETE FROM table attack would not work anyway.Personally Web 2.0 or any new technology can always be very usful and secure depending on how the programmer does his job. Most work I have seen is rushed jobs done by freelancers that don't care about security. It is a shame to see flawed coded sites these days.
vtstevenvtJul 28, 2006
As a web programmer, this is definately an issue. One of the easiest attacks to guard against is sql injection, but not many web-sites out there do because not many programmers know that it is something they will have to program against instead of pushing the responsiblity to the Database Administrator. Things like this are often overlooked in a crunch for time or another new feature. Sql injection isn't a problem in C#, but it is in VB.NET, so why is everyone using VB.NET? Sometimes choosing the right tool is the key.
fartsammichJul 28, 2006
"but I'll tell ya... my company would never use online apps to run their business."Do you dig up earthworms to sell to fishermen down at the docks or something?
merrebornJul 28, 2006
"but I'll tell ya... my company would never use online apps to run their business."If you bank at Wells Fargo, take a look at the teller's screen next time you're in the bank. That's right, you just saw IE accessing an internal web-app.Part of the problem is that people such as yourself don't see the browser for what it really is: a generic client application. You're no more safer with a client-server desktop application than you are with a client-server web application.Yeah, there was a worm that hit Yahoo! Mail. But do you have any clue how many worms have taken advantage of Outlook in the past?An insecure application is an insecure application, wether it's it's a web app or a desktop app. If you've got programmers who know what they're doing, it doesn't matter wether what they're developing; it's going to be secure.The only difference is it's easier for an idiot to build a web app than a desktop app.
pileJul 28, 2006
Yes, "Web 2.0" is defined as, "a useless, abstract reference that the tech media uses that for the time being, seems to create a pavlovian-like response from users signifying some equally abstract and ambiguous substance."<a class="user" href="http://BSAlert.com/">http://BSAlert.com/</a>
ihatepantsJul 28, 2006
Ack! The analogies were horrendous! Let me put just one example into layman's terms:1) Traditional web applications submit basic client-entered data to the server. All the work is done on the server, so it tends to be easier to secure an application in the traditional sense. (This doesn't make an app invulnerable, it just somewhat alleviates the issues below.)2) "Web 2.0" a.k.a. AJAX/GWT/Atlas/etc applications do a whole bunch of work on the client before they submit to the server.3) Users really like it if you warn them of a mistake immediately, versus waiting for a return from the server. (E.g. "That isn't a valid username" or worse, "That isn't a valid password.") Developers like to make customers happy, so they work towards giving immediate responses when they can.4) Give someone enough rope and they will hang themselves. "Web 2.0" (oh how I loathe that catchphrase) gives a large amount of rope. With AJAX/GWT/etc you have to validate everything twice. If you only validate on the client, people can easily forge requests that bypass all of your checks. If you only validate on the server, then you haven't bought yourself anything by using any of these nifty tools.I'm all for these new nifty web tools. I'm spending all my free time learning them as I see they are going to be the future of web development. I also see a horrendous amount of hacked sites coming up because people will forget to double-validate every piece of information they receive on the server side.
nextrixJul 29, 2006
@delinkaNote that MySQL does not allow stacking of queries so the ;DELETE FROM table attack would not work anyway.Personally Web 2.0 or any new technology can always be very usful and secure depending on how the programmer does his job. Most work I have seen is rushed jobs done by freelancers that don't care about security. It is a shame to see flawed coded sites these days.