Scripting Vulnerability Crisis: Crawling Out of the Rabbit Hole

March 15, 2017 | Views: 3021

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


What you do not know will not hurt you – right? Wrong! Scripting vulnerabilities will creep up on you and it can cause a temporary project shutdown, an entire rewrite of a project or worse project cancellation. Long gone are the days of development just to see if it works. Waiting for a security team to catch your malformed code is no longer a luxury of any corporate or government project standard; we must architect and code responsibly with security in mind from day one.

“What about all those new scripting languages that are considered more powerful, give us greater flexibility with our coding and ease of use?” Nope; you as a developer have a responsibility to secure ‘data at rest’ and ‘date in transit’. The minute you use a <script> tag for data you have opened a Pandora’s box of security vulnerabilities.

“What about JSON; everyone uses JSON?” While the data is available for XSS escape and evade tactics, why run the risk of high-performance coding when securing the data on the server is best.

“My project is inside a firewall and therefore we can code our internal application however we want to.” I can also wrap myself in warm fuzzy blankets but eventually, in a rain storm, I will still get wet. The reality is that no firewall is ultimately a 100% guarantee of security and as developers coding for internal or external applications we must still maintain a responsibility for ‘data at rest’ and ‘data in transit’.

“I am also on a (https) secure socket layer with a signed security certificate and therefore I can code my project, however I want to.” ‘Man in the Middle’ attacks are one of the simplest exploits that any low-level hacker is quite adept at. Being in the middle of loan applications for major banks, e-commerce transactions for some of the largest companies online and even the endless forms required for any governing entity is often worth a lot of money and spies like us efforts.

Currently, a large majority of online commerce is being performed with serious scripting vulnerabilities on the front end of these sites. These vulnerabilities lead to security holes and efforts from the outside to continue to exploit these weaknesses often going undetected for years. We need immediate intervention by a Government Agency to flag, regulate and if needed to fine these sites. The capability exists to control loan applications, credit card applications, e-commerce transactions and to exploit thousands of customers PII and thousands of customer’s credit card information.

“I found these security vulnerabilities on my corporation’s websites and applications. I documented it, contacted my security team and created a formal report and my job was terminated regardless.” Again; we need a Government Agency to flag, regulate and if needed to fine the sites and the corporations that own them. We need new laws to govern these actions and to protect developers caught in the middle of big corporate greed.

“I was required after I was hired to build the frontend for applications and websites using methods that were inherently insecure. I proposed a plan to my management team to securely code the projects, I created a formal report and I also notified my security team. My job was still terminated.” Again, we need new laws to govern these actions and to protect developers caught in the middle of layers of management that are often out-of-control.

In the world today, the security minded and focused developer does not always get to be a super hero. You’re often portrayed to a team as the odd man out, someone rocking the boat or a threat to the project. The reality that hacking is big business and the access and control that goes with it is highly regarded in criminal organizations that monetize an exploit. I have seen as many as half the vehicles on a Team vandalized or involved in accidents all in the same month and Development Team’s exposed to viruses and other respiratory ailments for months at a time. This list could go on and on but the only reason it goes on is because of a lack of laws and regulation to force these corporations to close all frontend security vulnerabilities. Therefore; getting your hacker onto our team so that he can continue to code holes is not a criminal enterprise worthy of a Hollywood budget and stunt team.


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thanks for the comments! True Demon – what I see is hiring employees that are verifiable ‘tools’ and from day 1 projects are architected with purposeful vulnerabilities that continue to propagate with each additional dev added. Vulnerabilities escape the security code scrapers and therefore enter production environments and are literally running unnoticed except to those that can monetize it. On large enterprise environments the layers of management and HR run contradictory to security requirements. My last background check that was supposed to be comprehensive of 10 years everything for a bank. Only consisted of low level fingerprinting and an active warrant check – I had to call the company twice because I thought there was a mistake but they verified that the HR rep only requested the prints and warrant check. Several people around me were hired with out of date visas.

  2. This was a great submission. I agree whole-heartedly that some very serious intervention is needed to protect security-focused developers from receiving backlash when they point out vulnerabilities in development. CSSLP is a good start, but when you start exercising the knowledge you’ve earned from that certification, it’s commonplace to find that nobody wants to actually hear that their project is insecure because it means more work and more money will need to be spent on it, assuming the project is salvageable.

    I enjoyed the read! I’d like to see some of your ideas come to fruition.

  3. Nice one..!!

  4. “we must architect and code responsibly with security in mind from day one.”

    If only!!

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?