A Handful of Vulnerabilities: Introduction

by Charles Miller on November 9, 2003

Application security is important.

Sure, Charles. Water is wet, too. Maybe you also want to point out that cutting off your finger might hurt a bit? Way to state the obvious. We live in an age of ubiquitous networking, where any security flaw can open a user up to untold damage from legions of script kiddies. Of course security is important.

So why do so few application developers pay attention to it?

If you're a professional programmer, how many books or articles on architecture or development practices have you read? How many books or articles on application security have you read?

At the technical book-shop down the road from where I work, there are shelves and shelves of architecture and "best practices" books aimed at programmers. Right beside them there are shelves of security books aimed somewhere between network security professionals, and wannabe hackers. The overlap, security books aimed at programmers, seems to consist of about three books that spend most of their time telling C programmers to stop producing those damn buffer overruns.

And we wonder why we keep producing vulnerable software.

"A Handful of Vulnerabilities" is my attempt to fill a gap in the education of modern developers. For us to produce secure software, we need our minds to be tuned to what programming pitfalls are out there, and how we can avoid them. We need to know what exploits are commonly found in software, and how they come about. That way, we have this important alarm bell that will go off inside our heads when we recognise a possibly dangerous pattern: "You're about to make a mistake. Go back now". This is how we make software safer.

Examples will be given in Java, because it's the most likely language to be familiar to the largest portion of the audience.

When I was writing the notes for one of the chapters of this series, those alarm-bells started ringing. I downloaded the source of a popular open-source Java program. I'd seen it in action here or there. I'd never even looked at the source before, but the pattern was enough for me to know it was going to be a problem. Sure enough, this hole was there: gaping and just waiting for someone to exploit it. If I had been less ethical, I could have made the lives of quite a few people distinctly less comfortable. As it was, I fired off an email to the maintainers, and they're busy fixing it now. But who knows, chances are there's an anti-Charles out there who thought of this long before I did...

So here's "A Handful of Vulnerabilities". A series of articles detailing common security flaws found in software: stuff that gets reported to Bugtraq every day. Mistakes that are made over and over again. If you're a developer, it's your job to know what these are, and how to avoid them. Because that's the only way we can stop them happening.

Contents so far:

  1. Directory Traversal
  2. SQL Injection

Previously: There Is No Magic Security Bullet

Next: [AHOV 1] Directory Traversal