[ajug-members] Cookie question

[Dean H. Saxe]

Les,

I think you hit the nail on the head by saying:

> Granted, most applications worth anything will have additional  
> security
> measures in effect to prevent this kind of thing (i.e. this request is
> from user 192283, but they're asking for data for user 192284 - access
> denied).  But there are _SO_ many apps out in the 'real world' that  
> have
> nothing of the sort - pretty scary actually.

As an auditor of many applications, I can tell you that this type of  
authorization is lacking in most applications.  In fact, based on  
what I have seen, approximately 25% of all flaws I find in code  
reviews/threat models are in authorization.  Oops.  Horizontal  
privilege escalation is often never considered by application  
designers.  They are worried about user A accessing admin  
functionality (vertical privilege escalation), not user B's data  
(horizontal privilege escalation).

So how many applications really do security well?  In the reviews I  
have done of professionally developed applications I can confidently  
say the number is still zero.  Does that mean secure apps don't  
exist?  No, absolutely not!  But I'd argue that they are the  
exception to the rule.  Unfortunately, security doesn't pay the  
bills, getting applications out on time and under budget does.  So  
security is often an afterthought in many development environments  
and developers are not given the training and tools to design secure  
applications and write secure code.  This is changing, thankfully,  
but there is an awful lot of legacy code out there which has yet to  
be scrutinized.

-dhs

Dean H. Saxe, CISSP, CEH
dean at fullfrontalnerdity.com
"To announce that there must be no criticism of the president, or  
that we are to stand by the president right or wrong, is not only  
unpatriotic and servile, but is morally treasonable to the American  
public."
     -- Theodore Roosevelt