How to write code that doesn’t suck

Web application hacking is big business. Even the traditionalist network penetration testers are crossing over to the new security rock and roll scene. The average individual doesn’t know what DNS does, and if I said, “I knocked over the internet by attacking BGP,” at a cocktail party, guests would probably suspect I just said something vulgar. On the other hand, “You are a hacker? Can you get credit card numbers off websites?” is a common reaction from even the computer unsavvy. My answer, “Yes, most websites suck.”

So how do you make your websites not suck? My colleague recently posted about OWASP’s ESAPI. Additionally, OWASP developed Webgoat, arguably the go-to training tool for web application hacking n00bs to cut their teeth. On top of giving hackers a chance to bring down websites in more than a dozen ways, several Webgoat lessons include a lab section. These labs include not only hacking the website, but also delving into the code to find the flaw that causes the vulnerability, fixing it, and testing the attack again. Getting down and dirty with the actual code is instructive for penetration testers and coders alike.

Webgoat labs should be mandatory for all website coders. Please start writing code that doesn’t suck so the web application hackers will stop getting so much attention and people will start paying attention to my mediocre attempts at hacking the infrastructure. Let’s call it the “Georgia for infosec prom queen” project shall we?