Blog @ andreaprovaglio.com

Help support OWASP and spread the word about the upcoming OWASP conference in Portgual!

Able to digg?
http://digg.com/security/Web_Application_Security_experts_meet_at_Portugal

Let's move on from the FUD of my previous post and find some solutions. Let's start stating the worst case scenarios.

Security is the art and science of CIA, Confidentiality, Integrity and Availability (yeah, we know that!). But many of the truths we cling to depend greatly on our own point of view. While some businesses might consider our shopping history a legitimate piece of information for them to know, we, as customers, may want to protect our habits under the broad term of privacy. But is there such a thing as privacy in a connected (actually more and more unplugged) world? Sun Microsystems CEO, Scott McNealy's answer was a loud no, almost 9 years ago ("You have zero privacy anyway, get over it."). Eventually, things got worse.

SQL injection vulnerabilities are still very common in web applications (OWASP rates injection flaws as the second most important security issue in Top Ten 2007). Input validation and parameterized queries (also called prepared statements) are the most popular safeguard options to prevent SQL injections. However, even using parameterized queries, an application can still be vulnerable to SQL injections. This is not a new topic (early researches on exploiting parameterized queries appeared more than 3 years ago) but there is still a lot of confusion among security-unaware software developers and architects.