So you wrote your own web server ?

Since I am posting something I can only assume I have an assignment due today, let me see... Assignment 1...28th of September... doh! Ah well, better get on with it (writing a post that is).

I am constantly amazed at the lengths developers will go to to guarantee the insecurity of the application thy are writing. The application I am evaluating at work at the moment is a web application that, up until this version, has run atop IIS. Now in all their wisdom the manufacturer has decided it would be a far better idea to write their own web server. But wait it gets better the services for this particular application need to run with local admin rights including the web server. Wait, let me get this straight you want me to expose a custom written web server with who knows how many buffer, stack and heap overflow vulnerabilities, not to mention race conditions, memory leaks et al, running as local administrator to the internet? Let me think about it. NO!

Writing a web server is hard and re-inventing the wheel is simply unnecessary. This goes for more than just web servers, encryption, authentication (another recent doozy) and authorisation schemes among others have already been built for you. If you are homebrewing something like this you are doing it wrong.

0 comments:

Post a Comment