[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack

From: Bil Corry <bil@xxxxxxxxx>
Subject: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
Date: Mon, 06 Oct 2008 21:15:27 -0500

Martin O'Neal wrote on 10/6/2008 11:06 AM: 
> Many of us aren't sitting on our wobbly corporate arses.  We are 
> diligently working away to help organisations fix their problems at 
> source; in the applications.

Rafal's point of becoming "fix it" people was calling out to organizations on a budget; which presumably means those that can't afford the services of Corsaire.  Given the magnitude of the number of sites compromised by some recent SQLi attacks, clearly there is a huge gaping hole between "how to exploit" and "how to protect."

Last year, I was in a position where I needed to hire a handful of web developers and as part of my interview process, I asked each one to describe XSS, CSRF, and SQLi and the ways to mitigate them within a webapp.  Out of the thirty or so interviewees, only one could describe SQLi, and no one could discuss XSS and CSRF.  I got a lot of comments such as, "I've heard of that before, but I'm not sure exactly what it is."  I had to shift my original hiring criteria (and expectations) and do training for all the new hires.

Beyond that though is an even more fundamental problem -- many small sites believe they are not a target because they don't store credit card information or other private data.  I recently spoke at a webapp dev conference and spent the first 10 minutes discussing why developers should even care about webappsec before I could even get into XSS, CSRF, etc.  Clearly there are a lot of resources available for anyone so inclined to learn, but if the small sites don't believe they're a target, then they're not going to pay attention to anything security-related.


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

Follow-Ups:
- Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
  - From: Rafal @ IsHackingYou
- RE: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
  - From: Martin O'Neal

References:
- [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
  - From: bugtraq
- Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
  - From: Sebastian Schinzel
- Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
  - From: Rafal @ IsHackingYou

Prev by Date: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
Next by Date: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
Previous by thread: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
Next by thread: Re: [WEB SECURITY] Interview With Jeremiah Grossman on ClickJacking attack
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site