Monday, December 15, 2008


Does James McGovern write secure code?

Many folks now that I am a chapter leader for OWASP and therefore may assume that the code I have written in the past is secure. I figured I would remove all doubts in terms of my abilities...

I have spent lots of time lately reviewing code that I have written in the past NOTE: I kept copies of things I shouldn't :-) and concluded that from a security perspective I am still better than average (this is not saying much) and have a lot of room to improve.

In 1999, I made some changes to a design for a session management application (a precursor to Yale CAS, OpenSSO, etc) and introduced a defect related to cookie handling. This code was for an online bank. Luckily, they are now defunct.

In 2001, I wrote several articles for Java Developers Journal under the column: Ask Doctor Java. Out of this series, one article contained sample code that I directed towards a reader who asked a question regarding security and it contained one place where input validation was missing.

In 2004, I was the lead author for a J2EE book where the goal was to write a book as fast as possible in order for it to be available for JavaOne (we missed the date) and so far, I have identified seventeen vulnerabilities in the sample applications.

The thought that others may have learned how to program by reading my books and now have indoctrinated themselves into worst practices is somewhat troubling. While I can't rewind the past, I can most certainly make things better going forward and hope to double the amount of chapter meetings I lead in 2009...

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?