Ever notice how in hindsight, most of the online attacks we see could have been easily prevented? Granted, we tend to have 20:20 vision when we’re looking back, but take something like the Bell telco in Canada and their SQL injection attack the other day. Guys, it’s a simple matter of validating the untrusted data and parameterising the SQL statements. We know this – we’ve (the software community) had this discussion!
And that’s ultimately what these 10 online attacks I presented in the Pluralsight webinar last week boil down to – known risks. We’ve seen them all before, documented them and created all the resources needed to train our developers, yet here we still are. This webinar re-visits these attacks, deconstructs how they occurred and examines some of the lessons we can take away from them. Of course these are all lessons talked about in my courses, but I can guarantee we’ll continue to see the same mistakes made over and over again regardless of how well known the risks are.
On attack number 10 – Heartbleed: We really didn’t see this one coming and don’t have a worthy precedent or comparable risk. However as I say in the webinar, many of the practices we’ve been promoting in security for a long time now would have put a sizeable dent in the impact of the Heartbleed bug if it was exploited in an environment following these practices.