Wednesday, February 28, 2007

Open Source Web App Security

I read a blog posting by Ed Finkler "Do Open Source Devs Get Web App Security? Does Anybody?".

In it he described disturbing statements contained in one of Open Source Content Management System :

A colleague of mine who is dealing with Plone, a CMS system built atop Zope, pointed me to a rather disturbing documents in the Plone Documentation system, one that I feel is indicative of a much larger problem in the web app dev community.

The first describes a hole (subsequently patched) in Plone that allowed users to upload arbitrary Javascript. Apparently no input or output filtering was being done. Certainly anyone familiar with XSS attacks can see the potential for stealing cookie data, but the article seems to think this is simply a spam issue.

In closing, Ed Finkler gives blunt statements :

A web developer is not qualified to do the job if he or she does not have a good understanding of web application security concepts and techniques. Leaders of development teams must stop allowing developers who are weak on security techniques to contribute to their products, and managers need to stop hiring candidates who do not demonstrate a solid secure programming background. If they continue to do so, they demonstrate a lack of concern for the safety of their customers.

No comments: