It's 2017, and command injection is still the top threat to web apps The Open Web Application Security Project will on Monday, US time, reveal its annual analysis of web application risks, but The Register has sniffed out the final draft of the report and can report that it has found familiar attacks top its charts, but exotic exploits are on the rise. A late pre-release version of the Project' …
Not really. Security on the client is always just a convenience to the user (don't waste their time allowing them to start things they don't have the permissions to finish). Real security has to be on the server. There is no real way of securing the client, it's a browser.
While I wholly aggree about security being server side, I suspect that a large part of the issue with client side security is that because there are so many developers (ab)using JavaScript to create single page applications it's the access and functions that these provide to locally available resources that is the problem.
On the other hand I have come across far too many idiot developers who assume that everything that comes from their "rich" web application is trusted and therefore adequate security and data validation on the server side is not necessary.
Totally agree - validation etc. on the client is purely to help improve user experience; it needs to be replicated on the server to be any kind of guarantee that it's doing what was intended. And yep, I also agree that there are too many inexperienced web developers out there who don't appreciate that. I'm being polite and swapping "inexperienced" for "idiot" :)
We had a guy apply for a job here recently who was after £60K plus benefits, which he said was a significant pay CUT from what he'd been earning in California and London, and who could boast on his CV that he'd got experience with cool stuff like Ethereum plus every Javascript framework you could care to mention, but who had no clue how to write a secure application, nor one that was scalable or highly available. Apparently "the framework takes care of that". Knob!
Yes it does. It means you can't just move "that" chunk of functionality from server to client - you have to split the security functionality out, and leave it in the server, and then move the rest of the functionality to the client.
You also have to find a way of testing the security functionality (because the client, by default, probably won't let you).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
