Step 1: remove internet explorer
Step 2: remove messenger
Step 3: remove office
There's a trend here...
Cyber criminals and spies have shifted their focus of attack in response to improved security defences. Facing improvements in system and network security, crackers have two new prime targets that allow them to evade firewalls, anti-virus, and even intrusion prevention tools: users who are easily misled and custom-built …
A more secure approach would be
Step 1: Remove unnecessary internet access from users
the fact is most users have no need to access the internet, and without access can't get their systems infected apart from through email viruses or trojans
Step 2: Disallow external mailing unless required for the job
if they cant mail anyone outside the company or receive emails from outside, they cant leek passwords or get infected from outside
Step 3: Train users that have internet access and email to be safe on line and understand how to use a computer
Step 4: shoot the ones that leek info/ get infected systems
they clearly didn't learn anything in their training and hopefully you cought them before they breed
Step 5: don't use web apps, anything thas accessible on the internet can be assumed to be insecure
Step 6: sod it, live in a cave with no power your data and computer will be secure then :)
"Until colleges that teach programmers and companies that employ programmers ensure that developers learn secure coding, and until those employers ensure that they work in an effective secure development life cycle, we will continue to see major vulnerabilities in nearly half of all web applications,"
What do businesses want from their web apps? They want them to look good, be responsive and they want them yesterday. Security doesn't come into the equation, even if developers had access to the necessary testing tools (which most of them don't). Web application security is going to get a whole lot worse before it gets better.
http://xkcd.com/327/
Developers... the problem with almost all (new) developers these days is that they're entirely and utterly clueless about ANYTHING that happens below the level at which they point, click and drag stuff around the screen to make an "application".
I've recently encountered "developers" who had no idea of the difference between tinkering with scripting and programming, had no idea what the hell an object is (even though they use them all the time) and haven't got the slightest clue how a network connection actually works.
But it's all OK really, because the exam results are way up and the new developers have all been successfully brainwashed into believing that anything non-Microsoft is "bespoke" (so shouldn't be touched) and there is only one word processor, one spreadsheet application, one web server application, etc.
The reason IE's so insecure is that its code base goes back to the days when Microsoft didn't know their arses from their elbows when it came to writing applications. They have changed and are definitely getting better. However they're stuffed with crap ancient code which is full of bugs - that's if it makes any sense as it's purported to be nigh-on impossible to understand as it's been modified so much over the years. And, lets face it, MS did nothing with IE6 from 2001 to 2006.
So, on the one hand there's IE which is based on an ancient engine and has security features from the dark ages of the browser wars (e.g. activex). On the other there's the relatively newcomers including Firefox which uses Open Source techniques and so has many times more programmers examining the code.
Which one's more likely to be secure?
Wouldn't it be great if the EU demanded that MS extracted IE from their operating systems. It would do masses of good for the security of the clients.
I think you miss Glenn Gilbert's point.
the item is headed 'daft users & insecure web apps".
By attempting to ridicule a pertinent point, i.e. that Windows, IE & Outlook Express, etc as shipped by MS over the 15 years - set up already set up for by pillocks for other pillocks so they don't need to think, fall neatly into both categories.
Why you mention Linux & Firefox I'm unsure.
If e.g. Ubuntu, RedHat, SuSE et al followed MS example and automatically allowed admin rights for every user, or built a browser into the OS, I'm sure they'd have the similar problems - and would deserve to be pilloried.
Well, yes - comparitively speaking web based applications will always be the weak point in the security chain - they have to be known, public locations.
The trick, I reckon, is to work out what your web-app needs to know. Does it need access to the back office? Really (the answer here should be "no")? How much user data does it need and how much should be encrypted? How are you maintaining sessions and preventing hijacking? Does it matter if the session is hijacked ("if you are not Chris Cheale - click here" Amazon style)? This rather depends on what that session allows access to; is it a "public" or "private" session?
Another thing is how well your app cleans up after itself; just how good is the garbage collection? Don't leave dead session (or other) data lying around - it's just asking for trouble. Oh, and trust no-one - sanitise all data going between your application and display layers - type fix it where you can.
What worries me a little is that because I'm an entirely self-taught LAMP-type developer, I'm sure there are things I'm missing - so I never stop trying to learn.
What worries me a _lot_ is the amount of code for web-apps I've seen that is utter shite; that I'd be ashamed to put my name to, let alone charge anyone for.