Web application security among UK corporates is getting worse, according to audits carried out by CESG-accredited security consultancy NTA Monitor. NTA Monitor reports a ten percentage point increase in the total number of web applications found to have at least one high-risk security issue. A quarter (27 per cent) of all web …
Apache / Mod Security
If you're using Apache then also check out "Mod Security". This can help block many types of http attack and prevent information leaks if someone does manage to break in.
"DOS Evasive" is also a good one to try, but it seems to have gone AWOL from (what was) its offical web site so you will need to do some digging to find it. Alternatively, you could configure your firewall (pf, if you're using OpenBSD - and why wouldn't you?) to help mitigate DoS attacks.
XKCD 327 FTW
"Did you really name your son Robert'); DROP TABLE Students;--?"
"Oh yes, little Bobby Tables we call him"
"We've just lost this year's Student Records. I hope you're happy."
"And I hope you've learned to sanitize your database inputs."
All user-supplied data should be properly sanitised
If you have a free text input field then it should accept all characters no matter which ones they are. You can't tell someone their name is wrong because it contains something that conflicts with your shitty coding/database.
Parameters...That is all.
How in God's name ...
... are SQL injection attacks even still possible these days and who are these numpties that are churning out these shitty webapps that swallow any old user input and without bothering to sanitise it? HOW are they even getting past the interview stage?
I mean, even trusty old Python running as CGI (nothing fancy, nothing cutting edge) can automatically and reliably sanitise the stream if you ask it to, without any further work from the developer.
This is simply silly. Anyone doing such piss-poor development should be not only dismissed but also possibly be held legally accountable for their irresponsible work.
Its not the development language in use or the paradigm, its simply not knowing what they are doing.
Don't get it.
Developers commission security test. Test finds vulnerability. Vulnerability is fixed. Fuss over nothing.
One explanation of the results might be that people who didn't take security seriously before are now doing testing for the first time.
Let's see some results from a survey of hackers to get a true picture of the security landscape.