Security

No matter how many articles I read about XSS attacks (a.k.a. cross-site scripting attacks), I can never get enough of them. Here's a good one from InformIT that narrates a hacker-for-hire's attack on a client's web application; he starts with a simple login form and ends up pretty much in total control after a short amount of time...

A friend (and former boss) has put together a list of books and links that he finds useful. There is some good stuff, thought I'd share it here.

http://cazano7.spaces.live.com/

Yesterday I had to rewrite an algorithm of mine because it failed to fail securely. We're in the QA testing phase of the project and one of our testers found a defect that revealed this to me. As soon as I saw what was happening in my code to cause this defect, my immediate reaction was "Uh-oh. This is not good." Given a certain set of circumstances, the algorithm produced a result that was incorrect, which is bad enough, but in this case the incorrect answer revealed information that certain types of users should not see. This is what I mean by failing securely: if the algorithm is going to fail, it needs to do so in such a way that the least amount of "harm" occurs.

What is the responsibility for a software developer or software development shop/team/department for security? It seems too easy to make blanket statements like "security is always a top concern" or "coders have to take security seriously." It's not usually that simple. How important is security? And whose responsibility is it? As with many things, I think the answer is, "It depends."

On what then, does the importance of security, or a developer's responsibility for security, depend? I think first it's useful to divide security concerns into three categories, because not everything falls into the realm of a typical programmer's control.