Barry Shteiman: September 2008 Archives

It is becoming more and more common for companies to weigh WAFs vs. secure coding options as they try to determine the best way to protect their web applications.  After talking to many developers, one thing I've learned is that many coders are not fully aware of the risks that come with secure coding.  And, on a related note, many companies are not fully aware of all the costs that come with secure coding.

Let's be honest, most of the pro coders already know about SQL Injection and the risks it brings to the table.  And most of them already knew about how to write better code in order to try and avoid that hole.  However, when it comes to attacks such as XSS, Forceful Browsing, and Cookie Attacks, they are much less certain how to write the code needed to block those threats (which in most cases is not even an option).