Why Do Web Developers Keep Making The Same Mistakes?

An anonymous reader quotes HPE Insights: Software developers and testers must be sick of hearing security nuts rant, "Beware SQL injection! Monitor for cross-site scripting! Watch for hijacked session credentials!" I suspect the developers tune us out... The industry has generated newer tools, better testing suites, Agile methodologies, and other advances in writing and testing software. Despite all that, coders keep making the same dumb mistakes, peer reviews keep missing those mistakes, test tools fail to catch those mistakes, and hackers keep finding ways to exploit those mistakes. One way to see the repeat offenders is to look at the Open Web Application Security Project Top 10, a sometimes controversial ranking of the 10 primary vulnerabilities, published every three or four years by the Open Web Application Security Project... It boggles the mind that a majority of top 10 issues appear across the 2007, 2010, 2013, and draft 2017 OWASP lists...

It's sad that eight out of 10 of the issues from 2013 are still top security issues in 2017. In fact, if you consider that the draft 2017 list combined two of the 2013 items, it's actually nine out of 10. Ouch... What can you do? Train everyone better, for starters. Look at coding and test tools that can help detect or prevent security vulnerabilities, but don't consider them silver bullets. Do dynamic application security testing, including penetration testing and fuzz testing. Ensure admins do their part to protect applications. And finally, make sure you establish a culture of security-aware programming and deployment.

Wrong

[hcs_$reboot]

That's not the same web devs making those same mistakes. Developers with some experience do not write code that fails against easy sql-injection. But companies prefer to hire younger inexperienced devs for the reasons that have been discussed here on /. many times.

Re:Wrong

[ovanklot]

That's not the same web devs making those same mistakes. Developers with some experience do not write code that fails against easy sql-injection. But companies prefer to hire younger inexperienced devs for the reasons that have been discussed here on /. many times.

I'll add to that that this isn't limited to web developers.

Re:Wrong

[gweihir]

Does not match my experience. Some (few, say 10%) of these people do indeed acquire insight and experience with more time in the field, but most do not seem to. They make the same basic mistakes and have the same defective and incomplete understanding of how thing work, 5 years in, 10 years in and then they move to another field because they have become unemployable in their "specialty".

Re:Wrong

[KiloByte]

I'll add to that that this isn't limited to web developers.

Hell yeah this. In most fields, there's decades of prior wisdom that one should at least try to get a grasp of before making "brilliant" inventions. Like, you shouldn't write an init system before reading "Unix for Dummies".

Things like SIGHUP/nohup are basic knowledge, if you don't know this you shouldn't write your snowflake way of killing processes on logout. If you don't know ways to authenticate users and what user names are explicitly allowed by POSIX (the 0day issue), you shouldn't create a gaping security hole, and even worse, you don't WONTFIX it just because one of your distribution's clicky-clicky tools doesn't allow such names, while "$EDITOR /etc/passwd" or LDAP are "user errors".

I'm for one a kernel newbie -- yet I know better than when faced with a problem like "shit network driver does high-order allocations while atomic, with disastrous reasons when under memory pressure" to rush into making an ad-hoc pool instead of reading how it should be done, or asking those with a clue. The former was my first reaction, yet I at least bothered to think before wasting developers' time with a bogus patch.

Re:Wrong

[scsirob]

We have a special name for those people who do not learn from their mistakes. We call them "Managers"..

Re:Wrong

[jrumney]

That's not the same web devs making those same mistakes.

True, the web developers from 2013 have all retired and taken up jobs in the fast food industry by now.

Re:Wrong

[swilver]

Those few are the ones you want to keep. However, you won't be able to keep them if you don't pay them well, or make their lives difficult/annoying with stupid management decisions. They'll be the first to leave as they have many options and don't have to deal with stupidity -- leaving your company with those that seem unable to learn from their mistakes, or just don't give a shit.

I'm considered a decent developer, and if you want to keep me you better be prepared to pay me significantly more than that fresh CS graduate that just joined the team, don't give me any shit, trust what I'm doing and let me do my work unsupervised -- like how you would treat another person that you've come to respect and trust.

Do that, and I'll pro-actively come up with ideas and solutions for problems you didn't even know existed yet and will treat your software as my own making sure that no harm comes to it, not from inside or outside the team.

Failing that, I'll just rake in some money until something better comes along, while you only get maybe 50% of my best as the constant distractions/annoyances/stupidity just don't foster a good environment for creative work.

Re:Wrong

[tlhIngan]

That's not the same web devs making those same mistakes. Developers with some experience do not write code that fails against easy sql-injection. But companies prefer to hire younger inexperienced devs for the reasons that have been discussed here on /. many times.

Well that pretty much applies to practically every job these days. The companies pursue money above all else, to the detriment of themselves - assuming everyone (and everything) is a swappable interchangeable part.

Nothing can be further from the truth - sure some things can be swapped around with little issues (printers, paper, pens, etc), but other things require considerable effort to swap around - things like servers and people. Servers need to be set up, software and data transferred, configured, and added to the network and then everything else needs configuration to use the new server. Sure there's redundancy and all that, but you still had to set it all up and it's a ton of effort to do so. It's why the best we have is putting them in VMs so they can migrate around which is a ton less work than configuring new machines. But even then it's no panacea, since OSes get outdated and you need to upgrade them as they fall out of support.

People are the same. They embody knowledge, and often what you're paying for is not the actual work output, but the knowledge of how the systems work inside the company. Even if everything is documented and you fire the sysadmin and hire some junior guy in his place, there's going to be a ramp up time to acquire basic working knowledge, and then to replicate the institutional knowledge lost by firing the old sysadmin. Sure the documentation is there, but it takes time to digest.

Plus, the documentation may cover "what", but not "why". Why are systems set up the way they are?

The other thing is, replacing something means the team has to readjust to new team dynamics. Not a problem if they were bad and you removed the problem person, but if they were quite gelled and work well together, you risk breaking up what works well. Seems like a great way to add risk to a project - will the replacement work well within the team, or will everything fall to pieces?

Re:Wrong

[cardpuncher]

More to the point, why should these serious "mistakes" be possible at all.

If these errors keep occurring, you have to stop blaming the web developers and start blaming the technology. There is no good reason that cross-site scripting or session hacking should even be possible. It's a mad idea to turn user input into a human-readable SQL command string when no human needs to read it.

The problem is that we stared off with insecure shoddy hacks and there has been a whole slew of incremental mitigations, none of which happens by default in order not to break further the already-broken crap that's out there. That's not the fault of the application developers, that's the fault of the browser and server developers.

Re:Wrong

[K.+S.+Kyosuke]

Hell yeah this. In most fields, there's decades of prior wisdom that one should at least try to get a grasp of before making "brilliant" inventions. Like, you shouldn't write an init system before reading "Unix for Dummies".

Obligatory reference

Re:Wrong

[ThosLives]

This was my thought too - if you have a critical component in a system, you want to make it as difficult as possible to get wrong.

Especially if there is clearly a "correct" and "incorrect" way to do something. There's a reason most sane cables either make it extremely difficult to connect in the wrong orientation or even better make it so all the likely orientations are serviceable.

The tools and frameworks could pick up the ball and make it more difficult to get things wrong, this would be much less an issue.

Re:Wrong

[david_thornley]

The mistakes are possible because they aren't always mistakes.

How do you prevent SQL injection? Putting user input into other strings is a reasonable thing to do. Passing a string to the database is a reasonable thing to do. It would be a pain to use parameterized SQL for everything, and I don't know of a database that does.

There's ways to sanitize a user-entered string so it can't be used for cross-site scripting. Make that mandatory for using user-entered strings and you'll break some other stuff.

Most of the common errors have solutions that require a certain amount of judgment.

Security is always last

Security is always last when implementing a new piece of software. Until management gets that security is vital to their well being, this will continue to happen. But since they have cybersecurity insurance and since everyone has the memory of a goldfish, the company will be fine, and therefore they don't need to spend the money on it. After all it would just be an added expense and possibly delay the introduction of the software in the first place which could ultimately be worse than having a buggy program.

Because you keep replacing them with kids.

[Narcocide]

Next question.

Simple: Cheaper than possible personnel

[gweihir]

Web application developers are the lowest-skilled, least educated and least talented people in the IT space. I recently had to explain to some people with supposedly 5 years experience in that space what an HTTP header looks like, because they had no clue. Same for basically every other aspect, like cookie naming, how to make you application able to work behind a proxy (in an enterprise-environment, no less), etc. It is staggering how clueless these people are. All they seem to see is a framework, which they barely understand and then put an application on top that makes all the basic mistakes you can think of. Of course, they eventually remove the mistakes that break the application in the specific target environment for a specific browser, but that is it. Forget about any understanding of the mechanisms they are using or of IT security. Some do not even know what an IP address is or how an URL is composed from components.

So in essence: Developers that are grossly incompetent and management that is grossly incompetent for hiring these people. As we have a lot of "bean-copunter" types in management these days (MBAs and even less competent ones), things will not change anytime soon.

The real problems are...

[bradley13]

IMHO, these problems stem from the following source problems:

- Incompetent developers. Look at the number one problem, number one for years now: injection. I teach students how to avoid this the first time they touch a database, which is typically in year two of their degree program. It doesn't matter: half of them still write injectable queries, even though using "prepared statements" isn't any more complex. The thing is: there is so much code to be written, that even these students - who evidently don't understand, don't care, and can't be bothered - even these students will find jobs, and some of them will be working on your web projects.

- Internet speed. TFA talks about "agile methodologies" as if they were a good thing. While "iterative development" absolutely does make sense, in too many companies "agile", and "Scrum" and their brethren are an excuse for pushing half-tested code out the door, because everything has to be fast, fast, fast . I have news for the marketing department: No, your latest brainstorm does not have to be live next week. In fact, given that the brainstorm-after-next will basically reverse this one, it would really be better for everyone if you just fell off a bridge and drowned.

- Too many frameworks. Real example: I used to use Guice, a small dependency-injection framework from Google, for a small demo-project. A few months ago I decided to update Guice to the latest version. But the latest version depends on another framework, Guava. Guava requires JavaX. JavaX requires Spring. Spring requires...good god, at this point I deleted Guice. I mean, seriously, binding in that much foreign code? First, you are now dependent on all that code, and whatever changes are made to it. Second, you are bringing in all of the vulnerabilties present in that code. And you have absolutely no idea what those may be, because you certainly aren't going to validate all of that code yourself. Thank you very much, I'll just implement that small bit of functionality I need, all by myself.

Re:The real problems are...

[Hognoxious]

But the latest version depends on another framework, Guava. Guava requires JavaX. JavaX requires Spring. Spring requires...good god, at this point I deleted Guice.

Look on the bright side, it didn't need systemd or gnome.

Re:The real problems are...

[gweihir]

I fully agree on all of these. I also teach a software security lecture, and last year one student summarized the purpose as "warn everybody to get an expert and not to do it themselves". Well, at least that one learned something.

As to the last point: This is a real catastrophe in the making. Nobody still understand what they do and their dependencies seem to grow all the time. I now push "does not depend on frameworks" as a sign of quality to customers, wherever possible.

Re:The real problems are...

[dougTheRug]

If you were teaching civil engineering, the first day you would be showing them a film about the bridge that blew down because of its design failing to accommodate for its stress inputs. And the fact that people's lives were on the line.

I would very much like to know what the first day in your course is like.

I think you have to honestly look at yourself and if you are not educating developers on how and why injection flaws work, and how they must be stopped at every handoff of data between interpretation domains, then you are a bad professor and a part of the problem. Insufficient education is, in my observation, the largest contributor to the problem.

Re:The real problems are...

[swilver]

The example given was Guice, which is a DI framework. To implement DI you need to write at least a couple of thousand lines of code, using not every day concepts like annotation scanning, reflection, thread safety, etc. That's a non-trivial amount of work requiring a solid test suite to boot.

Other than that I totally agree with you. I cringe every time I see some huge framework imported just to use one of its utility functions... Sure, a framework is great if over half the code needs it and it saves a lot of work, but adding a new huge framework to a huge existing code base without thought to save writing a dozen lines of code? I reject those commits when I'm leading the project.

Re:The real problems are...

[Bongo]

I think there’s a side issue: only by trying to write one’s own, does one start to understand the problem. So as a learning excercise, trying to write one’s own is really useful. And then, use a proper framework. Otherwise there’s the opposite problem of people relying on frameworks which they don’t understand.

Re:The real problems are...

[Kjella]

The thing is: there is so much code to be written, that even these students - who evidently don't understand, don't care, and can't be bothered - even these students will find jobs, and some of them will be working on your web projects.

And some of them will be working for PHBs that don't understand, don't care and can't be bothered. Far too often the only metric people are measured by is whether the code does the right thing with the right input under normal execution. Error handling? Security? It's working, ship it. That's what you get measured on. That's what your boss gets measured on. If you say it "isn't any more complex" and they do it anyway it's clearly because they don't get corrected or rejected. Those errors conditions are for QA to catch. Those injection vulnerabilities is something for InfoSec to discover and flag. Instead of being a safety net on the off chance that you should fail, they become the wall you throw shit at and see what sticks.

All businesses want it yesterday, it's how the world works. Heck I'm equally bad when I want somebody else's code (internal or external) fixed. Somebody has to push back, but IMHO this is a management problem not a developer problem. If they don't want proper releases and testing, then it's eternal beta. Expect to be beta testers. As for frameworks, they usually try to do the right thing. It's when the frameworks aren't sufficient and they try to hack it on their own that most shit happens. But you can say that about everything, it's like asking a Java developer who isn't used to doing memory allocation or raw pointers to write C. Does it mean everyone should start off doing C or assembler? It actually doesn't, but don't go out of your depth.

Because the market doesn't value security.

[aussersterne]

The pressure to release early and often is extreme. "MVP" rules the day, and no one in most senior roles has the granular perspective necessary to be aware of "security" as a concept. Is it checked into the testing repo and does it run? PUSH IT OUT. We'll fix any bugs as we "iterate."

Oh wait, we won't actually iterate. Because existing features don't get us as much as releases of new ones. We'll just keep pushing out new ones as fast as we can.

Security? Hell, often even basic functionality doesn't work. Release it broken, then declare it that part code deprecated in favor of new versions with new features in six months. Even if security is flawed, that's okay, it was only out for a few months "that way." Anyone still using it should have upgraded. If they don't it's their fault.

There are flaws in the new version/new features as well? Well they've only been out for eight weeks. It was an MVP. We're agile. We'll fix any bugs as we "iterate..."

etc.

Re:Email addresses!

[KiloByte]

Actually, most libraries are wrong, too. If you look at nodejs, it's astonishing how 90% of packages that ship a single line of code (plus tons of boilerplate) get even that single line wrong.

It doesn't take a genius to look up the relevant RFC and write a regexp.

Re:Ob

[dougTheRug]

Why are C developers still writing buffer overflows?

Re:Budgets

[gtall]

"scrum sessions" There's your problem right there. Agile does not encourage good overall design. It is a micromanagering dream and causes coders to only work for the next sprint goals. As long as their little piece of the pie works, they get rewarded. The entire dirty snowball that gets produced is merely a by-product.

Ctrl-C Ctrl-V

[digitalhermit]

Many APIs have demo code in curl or Java with the express warning that it's demo code and not to be used in production. But it shows up anyway.

I worked on a project last year where some offshore developers were tasked with writing an integration to a RESTful API for Nexpose. As far as "web programming" goes, talking to a REST API is pretty much a sine qua non for being called a "web developer". They didn't know how to do so. I understand that members of this same team have worked on other corporate sites.

Combine CTRL-C/CTRL-V with inexperience and you have the source of your mistakes.

Software "Engineering" vs Civil Engineering

[uthanda]

I've been thinking about this for a few years and have come to the conclusion that we will continue making the same mistakes until we can create a set of rules that everyone can follow. If you look at what civil engineers have done you will see that they have reduced much of what they do to equations and repeatable patterns (for lack of a better term). When someone sets out to build a bridge or a building, they start by designing it with an architect and then they pull out the equations and key tables to ensure that they have the load, weight, use, wind and all the other elements take into account. This is coupled with a very strong set of building codes that dictate minimum strengths, materials and designs to ensure safety. Setting aside the occasional corner cut in construction or neglect, when was the last time a building or bridge just collapsed? (Ok, we know the bridge in Minneapolis, but that wasn't design it was neglect)

It's this level of discipline and rigor that ensures what engineers and architects design and build will work as planned. Couple this rigor with government and professional group mandated licensing of practitioners (try getting a building built without a professional engineer stamp on the design certifying the design is sound) and you can ensure that those designing and building something has a minimum level of training and understanding of the basic physics and processes to ensure sound design.

Until software development can create those same sets of rules and patterns, we will be doomed to repeating the same errors over and over. What we're doing right now is the equivalent of showing someone geometry, basic physics and some sense of writing and then expecting them to design and build the Empire State Building, Burj Khalifa or an Airbus A380. If our physical counterparts did the same, then no one would even think of flying or sleeping in anything other than a tarp strung from trees.

Agile

[geekymachoman]

What does agile have to do with it, except make company spend money on "scrum masters" and other nonsense instead of hiring a proper security team ? While it has some good ideas, i wouldn't attribute improvements in security to standup meetings, runs and scrum masters.

Some parts of C++ need more than 32K

[tepples]

Unless you're targeting a system with 32KB of RAM or less, or you have very strict realtime guarantees (and so aren't even using malloc) there's rarely a good reason to use C these days.

I would dispute this 32 KiB figure.

Several years ago, I wrote a program for Game Boy Advance homebrew that used a single std::ostringstream once, and even after enabling -Wl,--gc-sections, the statically linked executable was 180,032 bytes. It turned out that the constructor for a std::ostringstream in GNU libstdc++ would call the constructors for date, time, and currency formatting aspects of the locale even if I never output a date, time, or currency object. For a scale reference, the GBA's RAM is 32 KiB of fast RAM, 256 KiB of slow RAM, and 96 KiB of video RAM. Although up to 32 MiB of execute-in-place ROM in the cartridge is available for a single-player game, no cartridge is inserted into the systems of players 2, 3, and 4. Thus the program has to fit completely into the 256 KiB of slow RAM, as the fast RAM is used for the stack and BSS.

True. We teach problems instead of solutions

[raymorris]

My experience is the same, most (but not all) experienced people are people who have been doing the same stupid shit for a long time. Some people put in the effort to learn something new and improve every week. Most people don't.

For those who DO try to constantly learn and improve, the security community has made a mistake in how we try to help them. The OWASP top 10 list was mentioned. I'm a member of OWASP. The list, which we promote, is a basically list of how bad guys can exploit vulnerabilities. We say "SQL injection". What does that mean to a developer? What is the developer supposed to do or not do with that? Perhaps it would be more useful to publish a list of SOLUTIONS, best practices, things developers should do.

Instead of saying "SQL injection" it might be more useful to list "parameterize SQL statements". That's something developers can do.

Instead of "cross site scripting", how about putting "hrmlencode all output strings" on list. A developer can call htmlencode(). They know how to do that. They don't know how to "don't allow cross-site scripting". The proof of that is in 90% of code that TRIES to prevent cross-site scripting; it doesn't work. Most attempts at stopping cross site scripting are easily defeated. Even when they try it doesn't work, so why should they bother to try? If we tell them "use htmlencode()" that will work, and it's easy for them to do.

Re:True. We teach problems instead of solutions

[LesFerg]

I must have been exceptionally lucky to work for an employer who also understood the importance of having a solid team of testers working closely with the developers.
For a start we had to make sure that nothing a user could type into a text entry could break the web page or the database, either on the way in or when coming back out to be displayed, be it the most basic issues like apostrophes in user names or HTML tags and such.
Then the testers had to learn all sorts of clever tricks to get around our best efforts to stop them breaking our code. This included SQL injection and other web-page breaking techniques.
If a company has mission-critical systems being developed and deployed via HTML, then they need to take responsibility for testing and penetration-testing the solutions, not just smacking out the fastest cheapest solution.
If you get the chance to work alongside good testers, make them your friends and make sure you challenge each other, taking into consideration both the crazy things your regular users can do and the malicious things others may attempt.

Really?

[stonecypher]

"Why do drivers keep making the same mistakes? It looks like eight of the top ten causes of death on the highway are the same as they were in 2013."

Um because this shit is difficult, and if you don't know anything about it, it's easy to ask vapid generalized questions that seem meaningful.

Part of the problem is our process

[FrozenGeek]

My experience is along the following: Noobs develop a new website. Senior devs have little time to review what the noobs have done. Website goes live. Users are happy. A year or two down the line, the former noobs move to other employers so as to obtain a real raise. Some time thereafter, serious security flaw is noted on original website. Flaw is fixed by senior devs, who may, or may not, adequately explain the problem to the noobs currently maintaining the website. The original devs involved never learn of the flaw or the fix. Simply put, we are not adequately taught security in school and we are unlikely to learn it at work. Compounding the issue, there is always a rush to production and very often security is the low priority task that gets tossed in order to meet the (artificial) deadline.