I suppose you could be right, but many beginning programmers are searching the web for answers every day. Wouldn’t this be a good blog for them to stumble upon?
Do a quick search on Google for yourself? This post shows up as #9…
I think you might be over estimating the skill of the readers of this blog. I doubt that Jeff has 122K subscribed expert developers (you can start by adding me to the non-expert list). Even then, an occasional reminder list like this never hurts.
This list contains no brainers for some of us, but most of these security holes aren’t because a developer doesn’t know HOW to defend against it, but instead that he doesn’t know that he even NEEDS to defend against it.
I don’t think that ANY blog, or most web resources for that matter, is a good resource for a beginning programmer. Some may disagree, but I think that there is never the comprehensive knowledge gained from a good, peer reviewed, book on whatever topic it may be. This page is no different - however entertaining it may be.
Well chief, yes I am scared… because I want to put wholesale fixed income banking on the net. Not some retail bull. Full on trading-floor-class execution capability. But a top 25 list of holes, essentially amounting to immaturity in the infrastructure, mean that I will stay with proprietary, hard coded shrink wrapped apps which give me the control I need.
@tomma what are you on about? Developing any real commercial application is hard, and no matter what you do, you need to take security into account. At the very least done do any boneheaded things.
These rules aren’t only applicable to web apps. You sound like a scared bank employee that still thinking that ‘only if this web thing catches on we’ll create an internet banking site.’
Just remember, the only safe application is the one that doesn’t do anything.
Security is as much about not doing the wrong thing as it is about doing the right thing. You don’t need to be perfect, just don’t do something stupid.
To me Javascript should only be used for non-security related web apps. Use PHP for security measures and include tons of validation. The PHP reference I have says to never trust the user’s imput. That’s what I go by.
One of the worst mistakes a manager can do is to hire a sloppy developer who does not consider it his responsibility to write secure code. From my experience it’s pretty much black and white. If the developer is bad from the beginning don’t let him stick around, find a new one. Bad habits die hard.