CHAPTER 8
Threats and Attacks: What Your Adversaries Do
Brian Kernighan has said that everyone knows that debugging is twice as hard as writing a program in the first place.1 You first need to understand what the code was originally designed to do, and then why it's not doing it. Therefore you need to be twice as smart debugging a program than coding it in the first place.2 Finding and exploiting a security vulnerability in a program is twice as hard as debugging it. Moral of the story? Never underestimate your adversaries: Attackers are very smart people.
Attackers have two more advantages. First cryptographers tell you that you cannot enumerate all the attacks because solving all security flaws in a complex program becomes an intractable problem that leads to state-space combinatorial explosion. In English, this means that the hackers have a larger pool to find ways to break a program than the defenders have to fix them. Another advantage for attackers is that they only need to be successful in their attacks once; you, as the security professional in charge of protecting your Web commerce infrastructure and its users must be successful in your defense all the time. Add to the mix that attacks always get better — they never get worse — and you will realize how sensitive your job is.
In this chapter, we give you detailed knowledge of some of the most devastating attacks against Web applications and common tools in the attacker's arsenal. There are many ways of categorizing and ...
Get Web Commerce Security Design and Development now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
