We Need to Educate Our Peers

Datetime:2016-08-23 00:12:50          Topic: SQL Injection           Share

Failure to use DNS, IP addresses embedded in the code, ignoring the physical realities (like bandwidth and latency)… the list of mistakes that eventually get dumped into networking engineer’s lap is depressing.

It’s easy to reach the conclusion that the people making those mistakes must be stupid or lazy… but in reality most of them never realized they were causing someone else problems because nobody told them so.

BTW, it’s not just networking. Persistent ignorance of SQL injection is a constant annoyance of the security experts. I love reading Robert Graham’s blog and in one article he came pretty close to my rants “… hackers aren't necessarily smart; the problem is that the victims are stupid, ” or elaborating later in the same article :

The thing about this vulnerability [SQL injection] is that any teenager can exploit it. You would think that a guy with 10 years experience creating websites would know more about this problem than a teenage hacker, but the reverse is true. Most people who create websites don't really understand how they truly work, nor do they care. They care about the end result, about what the user sees, about pretty pictures. They rarely care about the boring technical details.

Well, I was as stupid as an average web developer (even after ~2 decades of programming) until I attended a short course on web site security. The problem with things like SQL injection is that they’re non-obvious until you’re shown how they work at which point you get the “how could I have been so stupid” moment (see also egg of Columbus ). However, nobody tells the applications developers anything about security or networking challenges.

This is how Robert Graham explains why SQL injection errors persist:

The core concept is rather easy: don't mix code with data […]. Yet the problem persists because programmers fail to grasp the core concept. The reason is largely that professors fail to understand the core concept. SQL injection has been the most popular hacker attack for more than a decade, but most professors are even older than that. Thus, they continue to teach website design ignoring this problem. The textbooks they use don't even mention it.

However, it’s not enough to explain the problem: you have to help the people causing the problem understand how they can avoid it. The course on web site security I attended explained how to avoid SQL injection by using parameters in SQL queries, and I use them ever since.

In the case of networking it’s pretty easy to explain to people that care why they should use hostname instead of IP addresses, and there are plenty of good books explaining tricks you can use to get high-performance web sites (I used some of them when creating the free TCP/IP, HTTP and SPDY course):





About List