Christopher Nelson wrote: > On Fri, Apr 21, 2006 at 02:21:14PM -0600, Monique Y. Mudama wrote: > >>Or even more often, PHP scripts that you write yourself! > > Yes of course, but those aren't usually intentionally insecure ;) If > they are, you might want to see someone about it... But I (foolishly) > assumed that someone writing their own would realise the security risks. > It's funny how people overestimate their own ability to write secure code. At one point, I though I knew how to write secure code. Then, as part of my Master's courses, I took a course on secure software design. Mind you, this was a lot of high-level stuff. We did some shell scripting and some C coding. Overall, I was stunned at how easy it is to make mistakes that are exploitable. I know that some modern languages and compilers try and mitigate some of the vulnerabilities, but it is still easy to make mistakes. The best point that I learned in that class was that security absolutely must be part of the design from the very beginning if it is to have any sort of effect. Otherwise, you are stuck bolting it on after the fact, which usually does not work so well. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto
Attachment:
signature.asc
Description: OpenPGP digital signature