July 3rd, 2008 Anthony Towry
Some bright expo coordinators have created a social network on ning.com targeted at Oklahoma's IT professionals. I'm still a bit skeptical as to if it will take off or not, but it's worth a shot. If nothing else this will be one more place for me to peddle DC405 meeting times.
I love things that encourage geek collaboration. It'd be great if an OKCBarcamp came out of this sort of forum. I guess we'll see if it blossoms, or stutters and dies. Check out the OKTechOnline.ning.com group here.
Posted in Community | No Comments »
April 16th, 2008 Anthony Towry
A recent post to thedailywtf.com details a long running hole in an Oklahoma Department of Corrections web application. It appears that their Sexual and Violent Offender registry was wide open to SQL injection via a specially crafted query string.
Now, SQL injection can get pretty damn creative, but come on, this is 2008. There's no reason to be open to this class of vulnerability. Shouldn't we be past creating dynamic SQL queries? So let's say you're nutso bongo enough to be creating dynamic SQL, these guys aren't even making the attacker interact with the form to discover the hole. It's a security through obscurity thing for sure (and as such just one shade of crap less offensive), but being on the hit list by way of a Google dork is just sad.
Developers don't all have to be security experts, but an understanding of the OWASP top 10 isn't too much to ask. Get out there, parameterize those queries, sanitize input and make sure that data stays data and doesn't suddenly make the jump to code!
Posted in Uncategorized | No Comments »
