Here is the set of questions, in order. Note the spot where you can't answer a question with a "Yes".
- Do you build web sites/apps, web services, or windows apps that use a browser control?
- Do you know what SQL Injection is?
- Do you know how it works?
- Do you actively code against SQL Injection attacks?
- Do you know what XSS is?
- Do you know how it works?
- Do you actively code against XSS attacks?
Did you answer "yes" to all seven questions? I had 26 people in the talk and almost all raised their hand for the first question, which makes sense. After all seven questions, not a single hand was left up. There were 3 or 4 people who made it through six of the seven questions, but no one actively codes against those attacks.
THOSE ATTACKS ARE THE TOP TWO OUT IN THE WILD AND EXPECTED TO BE A RISK FOR 2010!
Think about this for a second. This was at a CodeCamp, where real developers go. There were hundreds of developers that didn't attend the event. There were 26 people in the room with me, so those are those most interested in security. There were dozens and dozens attending other sessions at the event at the same time, missing my talks by choice. So the most likely people to be good at protecting their sites are not actively protecting their sites against the top two attacks. Granted some gurus there likely didn't attend my talks since they already do all the work and didn't need them, but this is a clear statement to me about what is not happening in the development community.
Do I blame those folks that attended my session(s)? No way. They had great questions, were honestly concerned, and I know they left with a desire to turn things around. They were a great bunch for sure. But I hope it showed them, as it did me, that this is the norm. There is a lot of work left to be done to educate people on secure web app development. Hopefully the army is a little bigger after yesterday.