My security class is talking about the types of commonly seen mistakes that can crop up when writing programs that lead to security flaws, and while I usually introduce the ideas using “normal” programming examples because it is the common background I can assume my students have, I’m trying to help the students map these ideas to what they’ve seen of database or web development as well. So I finally went back in my saved links and read through a Google blog post from a month ago about security issues in hosting user content, specifically web content.
After a brief but reasonably nice survey of the problem they’re trying to address, they include this interesting statement, contrasting the current state of affairs to the old days of hosting static HTML: “For a while, we focused on content sanitization as a possible workaround – but in many cases, we found it to be insufficient. For example, Aleksandr Dobkin managed to construct a purely alphanumeric Flash applet, and in our internal work the Google security team created images that can be forced to include a particular plaintext string in their body, after being scrubbed and recoded in a deterministic way.”
I’ve been trying to make the argument to our digital media (as I get opportunities to talk to them) that they really ought to think of security as a good elective to round out their major, particularly those focusing on courses in web development and mobile application development. I’m sorely tempted to print out a copy of this article and go over and paste it on their lab door – or at least remind their professor to do another advising push towards the course on its next offering. These problems are perhaps outside the scope of what most web developers would encounter, but I wonder if rejecting the importance of understanding these issues would be analogous to an application developer believing that only someone working in operating system design really has to understand security.