I would argue that is even worse than that -- tens of thousands of website owners install Joomla or Wordpress (and their respective extensions and plugins) and then never bother to update them when there is a security patch upgrade.
*This* is one of the primary problems. And it is *not* okay "itsoknoproblembro". :-/ - ferg On Tue, Jan 8, 2013 at 5:23 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > http://www.infosecurity-magazine.com/view/30106/poor-programming-app-design-bolster-data-breaches/ > > With data breaches on the rise and the costs stemming from them > escalating exponentially, human error is often the culprit. But > there’s a deeper issue: poor application design and faulty programming > are all too common. > > It’s more important than ever to create secure applications during the > development phase, but very few strides have been made along that > path, according to Pieter Danhieux, an instructor at the SANS > Institute and co-founder of the security and hacking conference BRUCON > in Belgium. The teaching of application design and programming needs > to undergo a substantial change because students are not taught and > have not practiced secure design processes at an early enough stage, > he asserted. > > “Programming students will typically attend a single module on > security during a course and it often comes in the later part of the > educational cycle,” he explained. “The result is often a class of very > talented developers but they don’t think with security in mind.” > > That leads to poor security practices such as building applications > with buffer-overflow and SQL injection vulnerabilities that are widely > exploited by hackers. Danhieux also said that many of the fundamental > mistakes that he was exploiting as a penetration tester 10 years ago > are still the most common issues today. > > Approaches for combatting data breaches, from development to client > password policies, need to be supercharged in the face of a growing > threat, he said. “The US is one of the only countries with a > well-developed disclosure culture around security breaches, so the > assumption might be that there are relatively few incidents and that > America is the epicenter,” Danhieux said. “I can tell you for a fact > that the scale of the attacks is at epidemic proportions and it is > organized, well-funded and global.” > > Thus, website designers, architects and developers must understand and > learn web app vulnerabilities in-depth with tried-and-true techniques > for finding them using a structured testing regime. “The goal is to > learn the skills of an attacker so that students can become better > defenders,” Danhieux said. > > That’s not to say human error isn’t still a big part of the problem. > “You can’t say it’s just down to insecure program design,” he noted. > “The bigger problem is still due to insecure passwords, > over-privileged users and poorly patched systems.” > > Danhieux is familiar with the reality on the ground in his work for > BAE Systems Detica, an information intelligence company. “We deal with > incidents and security assessment results every day, and when you look > at the root cause analysis, 80% of the time it was one of these > issues,” he said. > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. -- "Fergie", a.k.a. Paul Ferguson fergdawgster(at)gmail.com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
