Web applications and services have critical needs in terms of safety, security and privacy: they need to remain available constantly and can at any time be the object of attacks by malicious and anonymous distant users attempting to take control, alter data or steal it, or cause unwanted behaviors. Unfortunately, recent history shows numerous cases of popular web applications falling victim to such attacks, despite careful attempts to secure them.
In this talk, we introduce OPA (One Pot Application), a new platform based on formal methods, designed to make web development sane, safe and secure. OPA provides an integrated methodology where the complete application is written with one simple language with consistent semantics, enforces safe use of the infrastructure through compile-time static checking and a novel programming paradigm suited to the web and encourages correct-by-construction development.
2. What Automated Solutions Miss
What it’s all about
!!Theoretical
"!Logic flaws (business and application)
"!Design flaws
"!The Stupid
!!Practical
"!Difficulty interacting with Rich Internet Applications (RIA)
"!Complex variants of common attacks (SQL Injection, XSS,
etc)
"!Cross-Site Request Forgery (CSRF)
"!Uncommon or custom infrastructure
"!Authorization enforcement
"!Abstract information leakage
OWASP
OWASP 26
3. What it’s all about What Automated Solutions Miss
!!Theoretical
"!Logic flaws (business and application)
"!Design flaws
"!The Stupid
!!Practical
"!Difficulty interacting with Rich Internet Applications (RIA)
"!Complex variants of common attacks (SQL Injection, XSS,
etc)
"!Cross-Site Request Forgery (CSRF)
"!Uncommon or custom infrastructure
"!Authorization enforcement
"!Abstract information leakage
OWASP 6
“Automated vs. Manual: You can’t filter The Stupid”
Charles Henderson, David Byrne
AppSec DC 2009 + 2010
OWASP 2
4. What it’s all about What Automated Solutions Miss
!!Theoretical
"!Logic flaws (business and application)
"!Design flaws
"!The Stupid
!!Practical
"!Difficulty interacting with Rich Internet Applications (RIA)
"!Complex variants of common attacks (SQL Injection, XSS,
etc)
"!Cross-Site Request Forgery (CSRF)
"!Uncommon or custom infrastructure
"!Authorization enforcement
"!Abstract information leakage
OWASP 6
“Automated vs. Manual: You can’t filter The Stupid”
Charles Henderson, David Byrne
AppSec DC 2009 + 2010
“Oh, yeah?”
The MLstate team
AppSec Research 2010
OWASP 2
5. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 3
6. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 3
9. Web Applications
(what we see) Web
Server
JavaScript
Web Web
Web
Browser Web
Server
Server
Server
PHP?
+scripts
Who
knows?
Web Language
Language
Framework
Browser
Database
Database
Database
Java?
Language
OWASP 5
10. Web Applications
(what we see) Web
Server
JavaScript
Config
Web Web
Web
error?
Browser Web
Server
Server
Server
PHP?
+scripts
Who
knows?
Config
Web error? Language
Language
Framework
Browser
Config
error?
Config
Database
error?
Database
Database
Java?
Language
OWASP 5
11. Web Applications
(what we see) Web
Server
Protocol
JavaScript ?
Config
Web Web
Web
error?
Browser Protocol Web
Server
?
Server
Server
PHP?
+scripts
Who
knows?
Config
Web error? Language
Language
Framework
Browser
Config
error? Protocol Protocol
?
?
Config
Database
error?
Database
Database
Java?
Language
OWASP 5
12. Web Applications
(what we see) Web
Server Protocol
CSRF exploit
Protocol
JavaScript ?
Info leak
Config
Web Web
Web
error?
Browser Protocol Web
Server
Sniffing
?
Server
Server
Data
injection
Memory
injection
PHP?
+scripts
Who
knows?
Config
Web XSS error? Language
injection SQL Language
Framework
Browser injection
Config
error? Protocol Protocol
? Memory
Contami
? injection
nation
Config
Database
error?
Database
Database
Java?
Language
OWASP 5
13. Web Applications
(what we see) Web
Server Protocol
CSRF exploit
Protocol
JavaScript ?
Info leak
Contami Config
Web Web
Web
nation error?
Browser Protocol Web
Server
Sniffing
?
Server
Server
Data
injection
Memory
injection
PHP?
+scripts
Protocol Who
exploit Known knows?
Config
Web XSS error?
exploit
Language
injection SQL Language
Framework
Browser Protocol
injection
exploit
Config
error? Protocol Protocol
? Memory
Contami
? injection
nation
Config
+ Phishing Database
error? Protocol
+ (D)DoS, economic (D)DoS Database
Database
Java?
exploit
+ Flash, Silverlight, Gears, XPCOM, Language
Java(FX), NativeClient, Acrobat, QT...
+ Keyloggers
+ ... OWASP 5
15. The general idea
“If you can’t solve the problem, change the problem.”
Ferengi Rule of Acquisition #408
OWASP 6
16. The general idea
“If you can’t solve the problem, change the problem.”
Ferengi Rule of Acquisition #408
“What if the problem is that Joe User is stupid?”
(Joe Developer)
OWASP 6
17. The general idea
“If you can’t solve the problem, change the problem.”
Ferengi Rule of Acquisition #408
“What if the problem is that Joe User is stupid?”
(Joe Developer)
“It’s not him, it’s you. You should design your tool so
that Joe can’t do anything stupid.”
Ferengi Rule of Acquisition #408, contd.
OWASP 6
18. The general idea
“If you can’t solve the problem, change the problem.”
Ferengi Rule of Acquisition #408
“What if the problem is that Joe User is stupid?”
(Joe Developer)
“It’s not him, it’s you. You should design your tool so
that Joe can’t do anything stupid.”
Ferengi Rule of Acquisition #408, contd.
“What if the problem is that Joe Developer is stupid?”
(Joe Meta-Developer)
OWASP 6
19. The general idea
“If you can’t solve the problem, change the problem.”
Ferengi Rule of Acquisition #408
“What if the problem is that Joe User is stupid?”
(Joe Developer)
“It’s not him, it’s you. You should design your tool so
that Joe can’t do anything stupid.”
Ferengi Rule of Acquisition #408, contd.
“What if the problem is that Joe Developer is stupid?”
(Joe Meta-Developer)
“Haven’t I answered that question already?”
Ferengi Rule of Acquisition #408, contd.
“...oh, and don’t forget to make sure that Joe can
still use the tools!”
Ferengi Rule of Acquisition #408, contd.
OWASP 6
25. General OPA design
Clean-slate design
Based on formal methods
Safe languages from the bottom up
One language for the whole application
Glue & checks generated automatically
No impedance mismatch
OWASP 8
26. General OPA design
Clean-slate design
Based on formal methods
Safe languages from the bottom up
One language for the whole application
Glue & checks generated automatically
No impedance mismatch
“Just” a distributed system
In which not all principals are trusted
And communications use web standards
Security is (mostly) automatic
OWASP 8
27. General OPA design Joe doesn’t need
to know
Clean-slate design
Based on formal methods
Safe languages from the bottom up
One language for the whole application Simpler than LAMP
Glue & checks generated automatically
No impedance mismatch
“Just” a distributed system Joe doesn’t need
to know
In which not all principals are trusted
And communications use web standards
Security is (mostly) automatic
OWASP 8
28. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 9
29. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 9
40. Things we can do (and check!)
Programmable security policies
Ajax SOAP Complex database
...
XML processing
Comet
Fine-grained sessions Time-unlimited rollback
Distribution
Multitasking
Higher-order database
User interface Concurrent transactions
WSDL
Higher-order programming
Data history
Capabilities
OWASP 14
41. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 15
42. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 15
50. More
A1-Injection A6-Security Misconfiguration
A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage
A3-Broken Authentication and
A8-Failure to Restrict URL Access
Session Management
A4-Insecure Direct Object A9-Insufficient Transport Layer
References Protection
A5-Cross Site Request Forgery A10-Unvalidated Redirects and
(CSRF) Forwards
OWASP 17
51. More
A1-Injection A6-Security Misconfiguration
A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage
A3-Broken Authentication and
A8-Failure to Restrict URL Access
Session Management
A4-Insecure Direct Object A9-Insufficient Transport Layer
References Protection
A5-Cross Site Request Forgery A10-Unvalidated Redirects and
(CSRF) Forwards
OWASP 17
52. More
A1-Injection A6-Security Misconfiguration
A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage
A3-Broken Authentication and
A8-Failure to Restrict URL Access
Session Management
A4-Insecure Direct Object A9-Insufficient Transport Layer
References Protection
A5-Cross Site Request Forgery A10-Unvalidated Redirects and
(CSRF) Forwards
OWASP 17
53. progress)
What Automated Solutions Miss
!!Theoretical
"!Logic flaws (business and application)
"!Design flaws
"!The Stupid
!!Practical
"!Difficulty interacting with Rich Internet Applications (RIA)
"!Complex variants of common attacks (SQL Injection, XSS,
etc)
"!Cross-Site Request Forgery (CSRF)
"!Uncommon or custom infrastructure
"!Authorization enforcement
"!Abstract information leakage
OWASP
OWASP 16
18
6
54. progress)
What Automated Solutions Miss
^
other
!!Theoretical
"!Logic flaws (business and application) (in progress)
"!Design flaws
"!The Stupid (what we do best)
!!Practical (been there, done that)
"!Difficulty interacting with Rich Internet Applications (RIA)
"!Complex variants of common attacks (SQL Injection, XSS,
etc) (been there, done that)
"!Cross-Site Request Forgery (CSRF) (in progress)
"!Uncommon or custom infrastructure (abstract&specify them away!)
"!Authorization enforcement (been there, done that)
"!Abstract information leakage (been there, done that)
OWASP
OWASP 16
18
6
55. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 19
56. OPA: Language Support for a Sane, Safe and
Secure Web
General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future
OWASP 19
57. Theoretical foundations
Building on 30+ years of research in formal
methods & language theory.
Key for precise analysis.
Key for precise optimizations.
OWASP 20
58. False positives
False positives are annoying but not that bad --
as long as they are predictable and there’s a
workaround.
Experienced developers make safety/security
mistakes quite often.
False positives often later reveal themselves as
true positives.
OWASP 21
61. That’s all, folks!
Thanks and apologies to David Byrne & Charles Anderson
for hijacking their slides
http://www.mlstate.com
OWASP 23
Notes de l'éditeur
7 years project coming to fruition
I had to swear upon everything I hold sacred that I would not attempt to sell anything to you. So, I’m going to do by something else. I’m going to steal one of yesterday’s presentations.
I’d like to introduce you to a concept that may be new to some in this room. In technical terms, we call it a web application.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.
And if you want to know the scary thing? Assuming you have secured all of these pipes, you haven’t even started securing your application itself.
Ok, if you’re like me, at this stage, you’re starting to wonder just exactly where things went wrong. Well, I have one possible explanation. We’re in a 21st setting and we’re still using programming languages designed for command-line applications or desktop applications, and stacks of unrelated and mismatched technologies, to which we add plenty of glue. And when security issues appear, because they have to appear, we’re addressing them with what? With patches and sandboxing.