Just throwing this one out there after a talk with a journo today as an aside to the .NET stuff we published today.
The question was raised on overall web application security in the real world….what’s your call on it SA?
We stated in response, that 90% of web applications/sites that we test for the first time have urgent to critical vulnerabilities. (ie; we own, we break etc ….bad!….PCI as an example…very upset potentially). While we have noticed an increase in security awareness and a desire from companies to test their security (GREAT SIGN), you have understand, we’re all (all companies like SA) now dealing with a backlog of testing…..stuff that should have been done years ago.
I will state again….the stuff we see every day is scary! CEOs, clients, customers and shareholders would freak if they knew what we knew about their company’s security…..but that’s the norm unfortunately.
When the sh*t eventually hits the fan in these companies, and it makes the press…same old story…..there’s no one to blame!….. (at least in Australia where CIOs can bury their heads in the sand and say, “I never knew there was a problem!”)….
Japan has the right idea in the banking sector – they (the regulators), make the CIO accountable and if the sh*t does it the fan, he goes to jail (ie; gaol – aussie spelling – stupid as it is).
We supported a relatively similar call a while back from the Acunetix dudes that had their 80% claim challenged by Network World.
Happy to be tested and a similar challenge thrown out to us…..though I don’t expect it. It would be like shooting fish in a barrel or as the Big Galoot says; ” a newsagent girl picking me out as the shooter and not the pig on the cover of “Babes and Boars”……maybe not……
I can picture Big Galoot being confused with a dirty big fat bush pig but only based upon his writings. Or should I say, his opinions to some. He does seem okay to me but I don’t base intelligence against looks. DD, is he really that ugly?
Gees, BG must have fans in the US or Europe to be responding at this time of the night (Aus time). (And know he’s a hunter – akin to Steve Irwin but a real hunter) Aside: I am not not and never have and never will be been an animal hunter……but the big galoot continues to try to get me on his boar and croc hunts…He reckons one day!…..He does though hold a record for baiting and catching the oldest and biggest pig in a pub just outside of Mudgee in 2005.
He’s actually a good looking man and enjoys his buffalo wings with me at the only Hooters in Sydney and if anyone else wants to attend those lunches, just respond or email me.
Actually, the *real* story was a gaffawing girl at the newsagent, after sighting a resemblance to yours truly on the cover of a well known hunting mag, being apparently unable to distinguish between hunter & hunted. The hunted being a hairy goat, the hunter being Big Galoot !
And Draz, when attempting to disguise your late night ramblings ‘in cognito’ mate, perhaps you might try to alter your usual Draz-speak phrasiology, & short time between unofficial & official posts around 1am in the morning.
Its still pretty funny nonetheless. ;- )
Even without security considerations, Web applications suck quite entirely. It’s enough to make a person long for the days of the dumb terminal and mainframe.
Trying to do actual work in a company that uses all Web apps is, to say the least, frustrating. Every Web app depends on refreshing entire pages in order to change or add and then verify data. How long client-to-Web server communication might take is anyone’s guess. Most of the time, you can go get a cup of coffee while one page refreshes, and even then, it might not be finished when you get back to the screen. Web apps SUCK.