Jacob West manages Fortify Software’s Security Research Group, which is responsible for building security knowledge into Fortify’s products. Jacob brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. In addition, he recently co-authored a book, “Secure Programming with Static Analysis,” published in June 2007. Before joining Fortify, Jacob worked with Professor David Wagner, at the University of California at Berkeley, to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.
The case of promiscuous parameters and other ongoing capers in web security
Security is harder than it looks: seemingly innocuous programming constructs can turn a cool project into a timebomb. The prevalence of “safe” languages like Java and C# combined with an ever-increasing number of abstraction layers are making vulnerabilities like buffer overflow and SQL injection things of the past. But is security on the Web getting better universally? This talk takes a deep-dive into modern web programming paradigms and frameworks, including ASP.NET, Spring, and Struts, to demonstrate security antipatterns that every developer on the Web needs to grok.
We begin with an antipattern we call promiscuous parameters, which helped earn PHP its bad security mojo in the form the “register globals” feature and has recently reared its ugly head in other popular frameworks. From here, we move on to discuss examples of other antipatterns for web security that every developer should understand and learn to avoid. The talk concludes with a look at the future of security on the Web and tips and techniques to help everyone involved in designing and building software get security right. If you respect your users, you owe it to them to keep your code safe.