Jeremiah Grossman, CTO and founder of WhiteHat Security in the United States says that the discovery in 2003 of a basic flaw in Microsoft's ill-fated Passport initiative offers a good example of the security challenges raised by web applications.
By simply crafting a slightly modified URL containing the attacker's e-mail address and the username of the target, pasting it into a browser and following a few simple steps, the system would happily reset the passwords of any Passport account. All the attacker needed to know was the username.
Tenable Network Security founder and CTO Ron Gula, who wrote the Dragon IDS in the 90s, says Web application security is largely about simplicity. These days, Tenable maintains the Nessus security scanner, among others. "Secure code is simple code," he says. "If you have layered defence... you're code's going to have various, hopefully graceful ways, of catching abuse or perhaps logging the abuse."
Apache and IIS error logs, Gula says, are an information goldmine for coders who want to secure their Web apps. "Another thing Tenable does is log analysis. We can take logs from Apache and IIS and we've got a lot of customers who send us their error logs. Well, their error logs are chock full of PHP errors, MySQL query errors, just bad URI handling errors in Apache and things like that," he says. "The point is there's a lot of other ways to go to look for these [bugs]... if Nessus is going to scan the OS and the Web server but not look as deep into the application as you could, there's still other places you could look."
An often slip-shod approach to the design of Web apps doesn't help, Gula adds. "The real question is what is the plan for this code? Is it the kind of thing where it was developed online and people are making live changes to it as we speak, or is there a QA process for it," he says. "There's a big difference."