LEARN BY DOING

Filed in archive Security on September 12, 2005

When developers are writing code the idea of protecting the web applications they are creating is not foremost in their minds. One reason is that the majority of software developers don't really know much about computer security. If developers were grounded in the knowledge of what attacks could occur and how those types of attack could be prevented they would probably take defensive actions without giving it much thought. educating developers is not the same lost cause as educating home PC users on how to protect their computers from attackers or viruses. Developers should have some vested interest in the process and the ability to stop a problem from happening up front. Especially so when a production issue arises from an attack and you are called at 3 AM to help solve the problem.

The best resource I have found for this type of an issue is the WebGoat application on the Open Web Application Security Project. Sure most developers understand the basic concepts but not many have taken the time to really try and execute any of the attacks they have heard about so often. The idea behind this application is to learn by doing. WebGoat can be installed on a PC fairly easily. Once installed there are a number of lessons that target specific ways a hacker could try and break into a web application. The WebGoat takes a person step-by-step through the different attacks and if a person gets stuck on a concept or mechanics of an attack it will provide a user with hints to help move them along in the exercise.

Another reason to educate yourself, or the people that work for you, is because the information that others might use against you is so readily available. It should be assumed that most hackers in the wider world know about this WebGoat application and would like to use the knowledge they have gained. I suggest taking some time and investing in a basic understanding of web application security to protect your assets.