Monday, June 15, 2009

Challenges to webappsec - lightweight development

Submitted by Ryan Barnett 6/15/2009

Lightweight development of web applications (using WYWIWYG editors such as Shockwave/Flash) has created an interesting hiring trend that I believe has negatively impacted web application security. Due to the fact that these web development tools are so easy to use, they do not need to be run by an actual programmer. This fact has resulted in a major shift of web content being created by Graphic Designers instead of actual web application developers. Here is an actual job posting that I just ran across that confirms this trend:
About the Job
Web Graphic Designer / Flash Designer

Direct Response company is seeking a full-time, talented web designer who can hit the ground running, working with in-house designers to help design and develop concepts and web campaigns for various products. This is NOT a programming and/or developer position, we are looking for graphic designers who are experienced in web design.
This may not pose any significant security issues if you are only displaying a dynamic intro page to your site, however these types of applications are doing more and more these days. There are been numerous security vulnerabilities identified within Flash applications such as XSS and there are even been some assessment tools released such as SWFScan to help find issues.

The big problem that I see is that it is hard enough to try and develop secure web application code when you have a true developer who is trained in secure coding principles. You don't have a fighting chance of having secure code if you now ask someone who is not a developer and is using a lightweight development tool like Flash. To make matters worse, if you are in this scenario and then you do happen to run vulnerability assessments against the resulting code, what are you going to do to fix the issue??? Good luck having your Graphic Designer fix the CSRF bug you found in their splash page.

4 comments:

Clerkendweller said...

A challenge may also be the lightweight project budget - I saw "Business website for 100 GBP" recently. Mmmmm.

Anonymous said...

thanks for the info you posted here about the lightweigh development of application for web using WYWIWYG . . yes, it works well for web 2.0 development company

Unknown said...

Great information! Thanks.
Website design companies

Anonymous said...

The challenge in this regard may also be lightweight project budget - I see "for 100 pounds," a recent commercial websites. Mmmmm.
Thesis AND Dissertation AND Essay AND Assignment