We’ll meet up with our friend the wizard again at the end of the book to see what he’s learned to make his magic fruit orchard a safer place. Of course, we know that the wizard is wise enough not to test out his new spells on anyone’s trees except his own. This goes for you too. Virtually all of the attack techniques we’ll be describing are illegal for you to test against any web site, unless you own that site yourself or have explicit permission from the owner.
We’ve Covered
Misplaced priorities and the need for a new focus
Seventy percent of attacks come in through a site’s web applications.
Spending money on network firewalls isn’t going to help this problem.
Network security versus application security: The parable of the wizard and the magic fruit trees
Web applications are like giants: they’re very powerful, but not very smart.
Thinking like a defender
Application-level attacks are caused by logic flaws in your application.
You need to find and fix these flaws to be secure.
You’re not going to do this by pretending to “think like an attacker.”
But you can do this by learning security principles and starting to think like a defender.
The OWASP Top Ten List
The Open Web Application Security Project (OWASP) organization periodically publishes a list of the current top ten most critical web application vulnerabilities.
This list is very widely referenced, and you should become familiar with the vulnerabilities and the underlying causes.
Secure features, not just security features
It’s important to know how to write everyday application functionality in a secure manner, not just how to use special security features like cryptography and SSL.