Security Answer of the Week, Websec Advice Edition — Part I
Good evening, and welcome to yet another edition of Security Question of the Week. I hope you are well. This week, we have a good deal of ground to cover, for I intend to:
- Prove conclusively that there’s nothing “weekly” about the “Security Question of the Week”
- Force you to think about PHP for a minute or two
- Keep beating the a-hash-function-is-not-a-message-authenticator horse
- And yes, quite a bit more.
How very exciting. One can hardly wait, can one? But unfortunately wait you must, as we are required first to pause for reflection on the question at hand:
A reprise
Like last week’s question, this week’s is another “spot the bad advice” question — this time, ripped straight from the headlines.
“Security in Web Applications” are the slides from a presentation on web security given a couple weeks ago as part of MIT’s 6.470 Web Programming Competition. There is a lot of good advice in there — but unfortunately, there are also some reasonably significant problems. Spot them.
As always, the best answer(s) win the prize. Send them to me via email or on twitter — bonus points for impact, obscurity, irony, sangfroid, schadenfreude, and/or bonhomie. I’ll post the results here at the end of the week.
It seems like ages ago, doesn’t it, since that question was posted here? And ages it has indeed been. Think back upon that those halcyon days, if you would: it was a simpler time. We hadn’t yet even begun to ask whether the iPad would save, destroy, or indeed merely tangentially affect our proud “hacker culture.” We didn’t yet know the state of our union. Some poor souls may even have thought that answers to this very Security Question of the Week would be posted “at the end of the week.” A time, indeed, of innocence.
A search for answers
It was in the context of those prelapsarian days, then, that our story begins. For that was when our gladiators surveyed the landscape, full of possibility, and their eyes alighted on some Advice — yea, some Advice of a Web Security nature; of undetermined providence but indubitable importance; and having a slidular nature. Advice, in other words, titled Security in Web Applications.
And verily, it was whilst reviewing these slides, that our heroes bit of that forbidden fruit. For they began to note the imperfections and flaws contained therein. They saw evidence — incontrovertible evidence — that the world was not as had been taught them. Flaws that no preëstablished harmony could account for; that no watchmaker God could be the author of; whose mere possibility implied a necessary truth about our world too horrible to comprehend. And the scales fell from their eyes.
Yes, gentle reader, it is on that very journey that I propose to take you now. It will be a journey of discovery and enlightenment, joyous in some respects, certainly — but it shall also be a journey of disappointment and sorrow, for at the end of it we shall find ourselves in a world of suspicion and fear, where random slide decks found on the Internet cannot be trusted, where every webapp is vulnerable until proven otherwise, and where even the best and brightest amongst us find their work — the fruit of their most heartfelt, helpfully meant labors — teased apart and nitpicked to shreds on some dude’s website. This terrible journey will have but one consolation: the knowledge that it is inevitable.
