Innocent Code: Excerpt from the Introduction

[Note: This is a pre-language-laundry version.]

This book is kind of weird. It's about the security of a web site, but it hardly mentions firewalls. It's about the security of information, but it says very little about encryption. So what's this book all about? It describes a small, and often neglected piece of the web site security picture: Program code security.

Many people think that a good firewall, encrypted communication and staying up to date on software patches is all that is needed in order to make a web site secure. They're wrong. Many of today's web sites contain program code that make them dynamic. Code written using tools such as Java, PHP, Perl, ASP/VBScript, Zope, ColdFusion, and many more. Far to often this code is written by programmers who seem to think that security is handled by the administrators. The effect is that an enormous amount of dynamic web sites have logical holes in them that make them vulnerable to all kinds of nasty attacks. Even with both firewall and encryption in place.

Current programmer education tends to see security as off topic. Something for the administrators, or for some elite of security specialists. We learn how to program. Period. More specifically, to make programs that please the customers by offering the requested functionality. Some years ago, that would probably suffice. Back then, programs were internal to organizations. Every person with access to our program wanted it to operate correctly, so that they could do their day to day job.

In the age of the Web, however, most of us get to create programs that are available to the entire world. Legitimate users still just want the program to do its job for them. Unfortunately, our program is also available to lots of people who find amusement in making programs break. Or better, making them do things they were not supposed to do.

Until recently, those who find joy in breaking programs have put most of their effort in mass-produced software, creating exploits that will work on thousands of systems. The last couple of years, however, focus on custom-made web applications has increased. International security mailing lists have been created to deal with the web application layer only, many good white papers have been written, and we have seen reports of the first few application level attacks in the media. With increased focus, chances are that more attackers will start working on application exploits. While the security people tend to keep up, the programmers are far behind. It's about time we start focusing on security too.

This book is written for the coders, those of us programming dynamic web applications. The book explains many common mistakes that coders tend to make, and how these mistakes may be exploited to the benefits of the attacker.

When reading the book, you may get the impression that the main focus is on how to abuse a web site rather than on how to build a site that can't be abused. The focus on destruction is deliberate: In order to build secure applications, one will need to know how programming mistakes may be abused. One will need to know how the attacker thinks when he snoops around looking for openings. In order to protect our code, we'll need to know the enemy. The best way to stop an attacker is to think like one.

The goal of this book is not to tell you everything about how to write secure web applications. Such a cover-it-all book would span thousands of pages, and be quite boring: It would contain lots of details on every web programming language out there, most of which you would never use. And it would contain lots of details on problems you will never try to solve. Every programming platform and every type of problem have their own gotchas.

The goal of this book is to make you aware that the code you write may be exploited, and that there are many pitfalls, regardless of which platform you use. Hopefully, you will see this book as a teaser, or a wake-up call, that will make you realize that the coding you do for a living is in fact a significant part of the security picture. If you end up being a little bit more paranoid when programming, this book has reached its goal.