I found this article in a BCS security news letter that I received in my inbox this morning.

It provides an interesting angle on the testing (checking) of web applications, as even a seemingly trivial deployment may be exploited as part of a system attack.

As a web user I find this a really confusing area – how can a user tell that a given web page is safe enough to trust with their data. OK, it’s easy enough to check for https over http transport and even validate site certificates, but this forms only part of the story. If the web page includes script or other processing logic, then the user really should worry about how this stuff works too. There are even some good tools out there which automate the checking and calculate a ranking, but even if all the client side checks lead to an increased feeling confidence, the user can only assume that the back-end implementation will be secure.

In the past, I’ve refused to use web sites that failed some basic checks and found that attempting to report such problems to the site owner can lead to confusion and further frustration. It’s not really a technology issue, there are some excellent techniques for keeping things secure, it’s more about demonstrating web security to users in an easily understandable or ‘consumable’ way.

For many it’s a question of trust: has the entity I wish to interact with taken reasonable steps to protect data?
However, such problems are not confined to on-line interactions. A couple of years ago I ended up in a long discussion over a hire car because I did not want to supply all the information requested on the release form and I did not like the way the forms seemed to be kept in an open box on the end of desk.

Tags: security

This entry was posted on Tuesday, January 19th, 2010 at 14:44 by Richard Coppen. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.