Top 10 Signs You Have an Insecure Web App

Blogger Mike Sutton posted a very, concise list of things to look out for in terms of security and web applications:

Top 10 Signs You Have an Insecure Web App

As I mentioned - the canceled CFJUG meeting this month was going to discuss just this. I'm thinking of rescheduling it for the 29th now, and will post when that is confirmed.

Archived Comments

Comment 1 by Stefan Richter posted on 11/7/2006 at 5:59 PM

thanks, I'm interested in this topic, especially if it covers how to prevent this sort of thing in CF.

Comment 2 by Sam posted on 11/8/2006 at 5:33 AM

Ray,

Thanks for the pointer. I see a good opportunity for an open source app that would utilize some of the searches he performed in the article and give a simply security report for all the websites under one's control. Automated testing = good!

Perhaps, I'll start one in December (when school's out) =).

Comment 3 by tof posted on 11/9/2006 at 11:42 AM

I'm not sure I agree with point 9. the guy tells you to remove comments from your live code in case you use google code.

seriously, who in the world removes their comments from their code before deploying?

Comment 4 by Sam posted on 11/9/2006 at 4:46 PM

tof-

When I read that, I was thinking more along the lines of "comment in the server side language you are using so it doesn't show up" rather than "remove all your comments"

But, he mentions things like "todo" and "fixme." I would hope every developer removes those before it goes into production - or else, it doesn't seem like it should be in production (or rather, if it no longer needs to be done or fixed, why keep the comment as clutter?)

Comment 5 by Raymond Camden posted on 11/9/2006 at 5:16 PM

tof: Sam has it right, the TODO and FIXME could reveal problems. And while you say CF strips all comments - what if an error occurs and you forgot to turn off robust exception handling? Than you can potentially see the comments.

Comment 6 by Sam posted on 11/9/2006 at 8:47 PM

Ray,

In that case, I'd be more worried about them seeing the code than the comments I think. I mean, <!--- to do: fix this error ---> to me, is far less worrisome than <cfif form.password is "knockknock"> ... let them in </cfif>

...

But, I may very well be overlooking something.

Comment 7 by Raymond Camden posted on 11/9/2006 at 8:51 PM

Oh no - you are right - I think the idea was you MAY think comments are harmless, and they certainly COULD end up being harmful if you aren't careful.

Comment 8 by tof posted on 11/10/2006 at 4:01 AM

I still think it's overkill, and not worth being in a "top 10 security issues". but that's just me.