Do you care about security?
One of the most frequent tips on building a great web app is “release early, release often”. Push out new features as soon as possible. It’s appealing, you can amaze your users each month with a cool new feature, you create buzz, you are interesting, you are hot. This all happens on the frontend, where people can see it, click it.
However there’s also some backend stuff that needs to be done. The same way users don’t care what language you are using, they don’t recognise if you’ve just updated your logging system or sealed some security hole. So obviously, we focus more on the buzz-creating, user-attracting features and leave the non-sexy stuff as last.
And that’s the heart of the problem. Making the app secure is usually at the bottom of the TODO list. I’m not sure if it’s because developers don’t want to, don’t care or don’t know how to fix this. Or maybe they are relying on the security provided by the framework they’re using (which may not be a good idea). It’s irrelevant why, but the simple fact to the matter is that there are a lot of startups out there which have severe security flaws.
It’s kind of OK when all you can lose is your business and your users. After all it was your fault. You can start all over again and this time be more careful.
However it is a different case when people put trust in you and store their valuable data (and presumably secret, in which case they are naive) on your servers, using your service. Yes, I’m looking at you DropBox. Thanks to a simple XSS vulnerability, DropBox effectively becomes Rapidshare. Take a look at this proof-of-concept video by Synopsi. It shows only how to change the computer’s name, but it’s possible to read and write files or access any folders shared through this service.
It’s not just DropBox. Sadly, half of the web is vulnerable. What’s even worse, companies, developers, people responsible for securing their app ignore this problem, don’t talk about it, don’t confront it, act as everything is normal and this problem doesn’t even exist.
So I appeal to you, web developers: take some time to think about the security of your web application, be reasonably paranoid, sanitise your data, etc. Care about security.
0 Responses to “Do you care about security?”