« What is DriveWorks Live? | Main | DriveWorks - Canada, Brazil, and other globalization stories... »

Thursday, 19 April 2007

Comments

Sweeney

That is fascinating! ...so... after you create something like this -that is completely new, how do you create tests that look for vulnerabilities? Did you have to start from scratch there as well?

Philip Stears

Hi Jeff - thanks, I hope the post helped in some way. As for testing, that's an extensive topic in and of itself, we have a goodly number of books on testing and security sat on the bookshelf at our offices and we take both very seriously.

The underlying premise is to think like an attacker, every time you surface some functionality, you have to be thinking about how that could be abused, and what can be done to mitigate it. Obviously this doesn't stop at development, it is extended into testing as attack scenarios to ensure the continued security of the system.

Many attacks for web systems are quite well understood, such as cross-site scripting, SQL injection, double-decode errors, and so on, and so they are relatively easy patterns to look for.

Naturally that's a gross over-simplification, but it is as much as I feel comfortable writing in a small comment text box ;-) I may write a full post on it at some point.

The comments to this entry are closed.