The Twelve Web Security Falsehoods

Today marks the one year anniversary of Hacking Web Apps. The book is an updated and greatly expanded version of my prior one that had been part of the Seven Deadliest series. HWA explains the concepts behind securing and breaking web applications. It also represents the longest time I’ve ever spent writing an exploit.

Since then I’ve supplemented the book with examples, techniques, and commentary on web security here on the blog. (And I have enough notes to continue for quite a while, not to mention material for a potential new edition.)

The book and the blog have covered all kinds of facts and true stories about web security. Including situations where something true needs to be false. Or a dozen fundamental truths that everyone should know, even though many developers remain unaware of security.

So, in the spirit of self-reflection and contrariness, here are the Twelve Web Security Falsehoods:

  1. The app you designed matches the app you deployed.
  2. HTML5 makes your site less secure.
  3. Web programming languages lack APIs for securely constructing SQL queries.
  4. HTTPS fixes spoofing, framing, and phishing attacks.
  5. Native mobile apps don’t need to use HTTPS or verify server certificates because they aren’t browsers.
  6. Flash and Java are worthwhile, secure plugins for your browser.
  7. HTML injection flaws that you can’t exploit are flaws that no one can exploit.
  8. Blacklisting “alert” and “script” prevents HTML injection.
  9. A site that protects the security of your data consequently protects the privacy of your data.
  10. Iterated hashing protects users who have chosen weak passwords.
  11. You only need to follow a Top 10 list to secure a web site.
  12. This list is complete.

Thank you to everyone who’s visited the site or purchased a book!

You might be interested in my next book coming out this November, the fourth edition of The Anti-Hacker Toolkit — a nearly complete rewrite that covers modern hacking tools beyond the field of web security.

If you’ve enjoyed this blog, consider buying a book. Or give a shout-out on Twitter and share this site with some friends. There’s always more content on the way!

Published by Mike Shema

Security, RPGs, and writing. Immersed in music (80s), sci-fi (dystopian), and horror (spooky). #synthwave Host of the Application Security Weekly podcast.