Sunday, March 28, 2010

Interesting (No) Show of Hands

Yesterday I spoke at CodeCamp 13 in Waltham, MA about web app security. Two talks, one for XSS and SQL Injection, the other for CSRF and discussion about the rest of the OWASP Top 10 list. During the first session I asked a set of questions to see first-hand whether what I had suspected was true. People were to raise their hand if the first question was a "yes" answer and leave it up until they answered "no" to a question.

Here is the set of questions, in order. Note the spot where you can't answer a question with a "Yes".
  1. Do you build web sites/apps, web services, or windows apps that use a browser control?

  2. Do you know what SQL Injection is?
  3. Do you know how it works?
  4. Do you actively code against SQL Injection attacks?

  5. Do you know what XSS is?
  6. Do you know how it works?
  7. Do you actively code against XSS attacks?
Did you answer "yes" to all seven questions? I had 26 people in the talk and almost all raised their hand for the first question, which makes sense. After all seven questions, not a single hand was left up. There were 3 or 4 people who made it through six of the seven questions, but no one actively codes against those attacks.


Think about this for a second. This was at a CodeCamp, where real developers go. There were hundreds of developers that didn't attend the event. There were 26 people in the room with me, so those are those most interested in security. There were dozens and dozens attending other sessions at the event at the same time, missing my talks by choice. So the most likely people to be good at protecting their sites are not actively protecting their sites against the top two attacks. Granted some gurus there likely didn't attend my talks since they already do all the work and didn't need them, but this is a clear statement to me about what is not happening in the development community.

Do I blame those folks that attended my session(s)? No way. They had great questions, were honestly concerned, and I know they left with a desire to turn things around. They were a great bunch for sure. But I hope it showed them, as it did me, that this is the norm. There is a lot of work left to be done to educate people on secure web app development. Hopefully the army is a little bigger after yesterday.

No comments:

Post a Comment