Bruce Schneier recently pointed out
this blog post by Troy Hunt. Mr. Hunt wrote about a B2C site operated by Tesco PLC. At the time of its publication , Tesco's site had received little or no attention by their technical security auditors. Bruce found Mr. Hunt's blog post valuable, "...not because it picks on Tesco but because it's filled with good advice on how not to do it wrong."
I agree. Hunt discussed problems that are very common and occur with many, many sites. The bulk of the problems he atrributes to
unconscious incompetence -- and that can occur anywhere. We can even outsource the problem to incompetent service providers. These problems are caused by a lack of attention (and/or resources) combined with a lack of knowledge regarding the risk.
One technical example Hunt highlighted is the limitation imposed on "sessions" maintained via HTTP. Cookies must be used, because HTTP is stateless.
All of us use sites where session continuity is managed by trading cookies in plain text -- and these sessions are all subject to MITM attack. In fact, I'm transferring a cookie in plain text right now to post this here at
www.daemonforums.org -- I can't post without it.
Another issue Hunt highlights is to pay close attention to the security of the complete chain of software used to deploy modern web applications. The chain can be both long and complex, and contain disparate program products and their libraries.
---
Interesting read, though I disagree with him regarding passwords vs. passphrases -- as he takes issue with my favorite XKCD comic. Mathematically, bits of entropy are key to placing brute force attack successes into sufficiently long polynomial time. To do that we need to ensure our randomly chosen passphrase words are sufficiently random to provide that entropy.