| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45
Back To Interview list
With computer security in the news, Michael Smith decided to talk with Matt Liotta about his CFUN-04 presentation on "Security".
Michael Smith: Why is security important for programmers? Isn't this a network administrator subject?
Matt Liotta: Well if there are any administrators in the attendance I am sure they will benefit from this presentation. However, this presentation is really meant for programmers. How we write code makes a big difference in the overall security of an application. Unfortunately, many programmers miss the potential security problems in their applications simply because they don't know any better. Or worse, they go to extraordinary lengths in the name of security only to miss subtle exploits that invalidate all their work.
MS: That sounds like a lot of work!
ML: Great security takes a lot of work, but good security can be achieved with a little insight that takes almost no extra work at all. In my presentation, I'll explain how certain practices can be adopted that in the end take no extra effort, but pay off big in terms of security, and have side benefits such as performance and robustness.
MS: That is a relief. But what about password protection of sites?
ML: While that is a pretty well understood topic, there are lots of different ways to attack the problem, each with their own implications that one may not be aware of. In fact, now that you bring it up, it is a pretty important topic that I fail to address in my presentation. I'll make sure to update my presentation to cover this information, though, so if you are interested in this topic, I guess I'll be seeing you at my presentation.
MS: That is cool! What about cookies and session variables? Is there a security risk there?
ML: Like anything, it all depends on how you make use of things. Are cookies inherently risky? No, but they certainly can be. I think we have all heard the stories about early e-commerce sites that stored pricing information in cookies, allowing people to buy items at a lower price simply by changing their cookies.
MS: Ouch! And I have heard that even prices in form variables are not safe. So will you show people how they can protect their e-commerce pricing from hackers like that?
ML: My presentation doesn't really focus on different variables scopes, but instead provides a wealth of information on how to appropriately make use of the different scopes. Certain practices can apply to multiple scopes, so it is much better to understand why they apply to those scopes then just to provide a set of rules for each scope.
MS: What about URL variables. Are they hacker proof?
ML: Again, it is not about individual scopes, but understanding the implications of how you use all scopes. Additionally, it isn't really about making things hacker-proof or even, the more appropriate term, cracker-proof; it is about making sure your application is designed in a way that doesn't allow users to make use of it in ways not intended. You don't have to be a cracker to manipulate cookie, URL, or form variables.
MS: Will you have code samples that we can copy in your talk?
ML: Not directly no, but certainly code will be shown.
MS: That sounds cool - I think I will be able to improve the security of my sites after coming to your talk! Thanks for talking with me.